https://community.splunk.com/t5/Splunk-Search/How-to-search-for-records-between-respective-timezones/m-p/643779#M223022 <P>The <FONT face="courier new,courier">search</FONT> command cannot handle a field ("variable") name on both sides of the operator.&nbsp; Use <FONT face="courier new,courier">where</FONT>, instead.</P><LI-CODE lang="markup">index=ovpm sourcetype=ovpm_global | search "Service Name" = "WSB EXPRESS" | eval region = case(substr(SYSTEMNAME, 1, 2) == "my", "AP", substr(SYSTEMNAME, 1, 2) == "cz", "EU", substr(SYSTEMNAME, 1, 2) == "us", "AM", true(), "Other") | eval regionStartHour = tonumber(case(substr(SYSTEMNAME, 1, 2) == "my", 0, substr(SYSTEMNAME, 1, 2) == "cz", 8, substr(SYSTEMNAME, 1, 2) == "us", 16, true(), 0)) | eval regionEndHour = tonumber(case(substr(SYSTEMNAME, 1, 2) == "my", 8, substr(SYSTEMNAME, 1, 2) == "cz", 16, substr(SYSTEMNAME, 1, 2) == "us", 24, true(), 0)) | eval hr = strftime(_time, "%H") | where hr&gt;=regionStartHour AND hr&lt;=regionEndHour</LI-CODE> Thu, 18 May 2023 14:08:25 GMT richgalloway 2023-05-18T14:08:25Z https://community.splunk.com/t5/Splunk-Search/How-to-search-for-records-between-respective-timezones/m-p/643772#M223018 <P>We have logs from multiple region, but only want to report those between respective regions working hours.<BR />Created following query which works fine when putting an absolute number, but doesn't filter by variables.</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <LI-CODE lang="javascript">index=ovpm sourcetype=ovpm_global | search "Service Name" = "WSB EXPRESS" | eval region = case(substr(SYSTEMNAME, 1, 2) == "my", "AP", substr(SYSTEMNAME, 1, 2) == "cz", "EU", substr(SYSTEMNAME, 1, 2) == "us", "AM", true(), "Other") | eval regionStartHour = tonumber(case(substr(SYSTEMNAME, 1, 2) == "my", 0, substr(SYSTEMNAME, 1, 2) == "cz", 8, substr(SYSTEMNAME, 1, 2) == "us", 16, true(), 0)) | eval regionEndHour = tonumber(case(substr(SYSTEMNAME, 1, 2) == "my", 8, substr(SYSTEMNAME, 1, 2) == "cz", 16, substr(SYSTEMNAME, 1, 2) == "us", 24, true(), 0)) | eval hr = strftime(_time, "%H") | search hr&gt;=regionStartHour AND hr&lt;=regionEndHour</LI-CODE> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> Thu, 18 May 2023 13:09:52 GMT https://community.splunk.com/t5/Splunk-Search/How-to-search-for-records-between-respective-timezones/m-p/643772#M223018 ran_deep 2023-05-18T13:09:52Z https://community.splunk.com/t5/Splunk-Search/How-to-search-for-records-between-respective-timezones/m-p/643779#M223022 <P>The <FONT face="courier new,courier">search</FONT> command cannot handle a field ("variable") name on both sides of the operator.&nbsp; Use <FONT face="courier new,courier">where</FONT>, instead.</P><LI-CODE lang="markup">index=ovpm sourcetype=ovpm_global | search "Service Name" = "WSB EXPRESS" | eval region = case(substr(SYSTEMNAME, 1, 2) == "my", "AP", substr(SYSTEMNAME, 1, 2) == "cz", "EU", substr(SYSTEMNAME, 1, 2) == "us", "AM", true(), "Other") | eval regionStartHour = tonumber(case(substr(SYSTEMNAME, 1, 2) == "my", 0, substr(SYSTEMNAME, 1, 2) == "cz", 8, substr(SYSTEMNAME, 1, 2) == "us", 16, true(), 0)) | eval regionEndHour = tonumber(case(substr(SYSTEMNAME, 1, 2) == "my", 8, substr(SYSTEMNAME, 1, 2) == "cz", 16, substr(SYSTEMNAME, 1, 2) == "us", 24, true(), 0)) | eval hr = strftime(_time, "%H") | where hr&gt;=regionStartHour AND hr&lt;=regionEndHour</LI-CODE> Thu, 18 May 2023 14:08:25 GMT https://community.splunk.com/t5/Splunk-Search/How-to-search-for-records-between-respective-timezones/m-p/643779#M223022 richgalloway 2023-05-18T14:08:25Z