https://community.splunk.com/t5/Splunk-Search/How-to-narrow-down-data-with-time/m-p/629799#M218796 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/253621">@Chris231289</a>&nbsp;<BR /><BR />It's useful for these types of queries to understand where the events to be filtered come from and how they look.&nbsp; It also may depend on where you need to filter the data, has it been transformed into a summary already.&nbsp; These things can make a difference to how you would filter out events.&nbsp;<BR /><BR />If this is standard search query then by default Splunk creates a data_hour field (from the _time field) so something like this would work...</P><PRE>...your base query search query...<BR />| where ((date_hour &lt; 8 OR (date_hour &gt;= 17))</PRE><P>Maybe provide a sample of you data or your current search query if this does not work for you.&nbsp;<BR />&nbsp;<BR />Hope this helps.<BR /><BR /></P> Mon, 06 Feb 2023 22:03:28 GMT yeahnah 2023-02-06T22:03:28Z https://community.splunk.com/t5/Splunk-Search/How-to-narrow-down-data-with-time/m-p/629793#M218793 <P>Hello,&nbsp;</P> <P>i am looking to narrow down my search field, i only want to search for events that happen outside of&nbsp; a specific time range. I want to search for events that happen outside of 0800 to 1700</P> <P>Any help would be appriceated&nbsp;</P> <P>Kind regards&nbsp;</P> Tue, 07 Feb 2023 02:08:05 GMT https://community.splunk.com/t5/Splunk-Search/How-to-narrow-down-data-with-time/m-p/629793#M218793 Chris231289 2023-02-07T02:08:05Z https://community.splunk.com/t5/Splunk-Search/How-to-narrow-down-data-with-time/m-p/629799#M218796 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/253621">@Chris231289</a>&nbsp;<BR /><BR />It's useful for these types of queries to understand where the events to be filtered come from and how they look.&nbsp; It also may depend on where you need to filter the data, has it been transformed into a summary already.&nbsp; These things can make a difference to how you would filter out events.&nbsp;<BR /><BR />If this is standard search query then by default Splunk creates a data_hour field (from the _time field) so something like this would work...</P><PRE>...your base query search query...<BR />| where ((date_hour &lt; 8 OR (date_hour &gt;= 17))</PRE><P>Maybe provide a sample of you data or your current search query if this does not work for you.&nbsp;<BR />&nbsp;<BR />Hope this helps.<BR /><BR /></P> Mon, 06 Feb 2023 22:03:28 GMT https://community.splunk.com/t5/Splunk-Search/How-to-narrow-down-data-with-time/m-p/629799#M218796 yeahnah 2023-02-06T22:03:28Z https://community.splunk.com/t5/Splunk-Search/How-to-narrow-down-data-with-time/m-p/629800#M218797 <P>thank you but when i put in&nbsp;| where((date_hour &lt; 8 OR (date_hour &gt;= 17))&nbsp; i get the error&nbsp;<SPAN>Error in 'where' command: The expression is malformed. Expected ).</SPAN></P> Mon, 06 Feb 2023 22:19:08 GMT https://community.splunk.com/t5/Splunk-Search/How-to-narrow-down-data-with-time/m-p/629800#M218797 Chris231289 2023-02-06T22:19:08Z https://community.splunk.com/t5/Splunk-Search/How-to-narrow-down-data-with-time/m-p/629805#M218798 <P><SPAN>Looks like i missed the closing parenthesis after the 8.&nbsp; Try...<BR />&nbsp;<BR />| where&nbsp; ((date_hour &lt; 8 ) OR (date_hour &gt;= 17))</SPAN></P> Mon, 06 Feb 2023 22:45:28 GMT https://community.splunk.com/t5/Splunk-Search/How-to-narrow-down-data-with-time/m-p/629805#M218798 yeahnah 2023-02-06T22:45:28Z