https://community.splunk.com/t5/Splunk-Search/How-to-setup-an-alert-but-omit-certain-time-of-day/m-p/644348#M223174 <P>Hello All,</P> <P>I'm trying to do a search&nbsp;"found ANC VITC in source 01:00:00;00" which works just fine, but I would like to omit these errors from the UTC times of 01:00:00;00 - 01:00:00;05 because between those times the 01:00:00;00 timecode is legit.&nbsp; Is this possible?</P> <P>A co-worker believes there is a result object "called_time" but I'm unclear of the syntax use.</P> Wed, 24 May 2023 08:35:30 GMT ScottW1 2023-05-24T08:35:30Z https://community.splunk.com/t5/Splunk-Search/How-to-setup-an-alert-but-omit-certain-time-of-day/m-p/644348#M223174 <P>Hello All,</P> <P>I'm trying to do a search&nbsp;"found ANC VITC in source 01:00:00;00" which works just fine, but I would like to omit these errors from the UTC times of 01:00:00;00 - 01:00:00;05 because between those times the 01:00:00;00 timecode is legit.&nbsp; Is this possible?</P> <P>A co-worker believes there is a result object "called_time" but I'm unclear of the syntax use.</P> Wed, 24 May 2023 08:35:30 GMT https://community.splunk.com/t5/Splunk-Search/How-to-setup-an-alert-but-omit-certain-time-of-day/m-p/644348#M223174 ScottW1 2023-05-24T08:35:30Z https://community.splunk.com/t5/Splunk-Search/How-to-setup-an-alert-but-omit-certain-time-of-day/m-p/644363#M223182 <P>Please share your current search</P> Tue, 23 May 2023 22:45:43 GMT https://community.splunk.com/t5/Splunk-Search/How-to-setup-an-alert-but-omit-certain-time-of-day/m-p/644363#M223182 ITWhisperer 2023-05-23T22:45:43Z https://community.splunk.com/t5/Splunk-Search/How-to-setup-an-alert-but-omit-certain-time-of-day/m-p/645583#M223519 <P>Hey&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/225168">@ITWhisperer</a>&nbsp;, apologies for the delayed response.&nbsp; Here is the current search:&nbsp;&nbsp;</P><P>&nbsp;</P><P>index=morpheus6* "Found ANC VITC in source 01:00:00;00"</P><P>It produced the following results today:</P><P>6/2/23<BR />2:30:00.000 PM<BR />"2023-06-02 14:30:00;05","ICER43","BA69","Information","REC246","Found ANC VITC in source 01:00:00;00"<BR />host = DEN-6XMR-ICER43source = C:\Logs\2023-06-02_XREC43.logsourcetype = ICERLog<BR />6/2/23<BR />2:30:00.000 PM<BR />"2023-06-02 14:30:00;03","ICER43","7DAA","Information","REC246","Found ANC VITC in source 01:00:00;00"<BR />host = DEN-6YMR-ICER43source = C:\Logs\2023-06-02_YREC43.logsourcetype = ICERLog<BR />6/2/23<BR />1:30:00.000 PM<BR />"2023-06-02 13:30:00;03","REC241_242","78DE","Information","REC242","Found ANC VITC in source 01:00:00;00"<BR />host = DEN-6XMR-ICER41source = C:\Logs\2023-06-02_XREC41.logsourcetype = ICERLog<BR />6/2/23<BR />1:00:00.000 PM<BR />"2023-06-02 13:00:00;03","REC241_242","70E5","Information","REC241","Found ANC VITC in source 01:00:00;00"<BR />host = DEN-6XMR-ICER41source = C:\Logs\2023-06-02_XREC41.logsourcetype = ICERLog<BR />6/2/23<BR />3:00:00.000 AM<BR />"2023-06-02 03:00:00;03","REC241_242","2A01","Information","REC242","Found ANC VITC in source 01:00:00;00"<BR />host = DEN-6XMR-ICER41source = C:\Logs\2023-06-02_XREC41.logsourcetype = ICERLog<BR />6/2/23<BR />2:00:00.000 AM<BR />"2023-06-02 02:00:00;03","REC241_242","FF28","Information","REC241","Found ANC VITC in source 01:00:00;00"<BR />host = DEN-6XMR-ICER41source = C:\Logs\2023-06-02_XREC41.logsourcetype = ICERLog<BR />6/2/23<BR />1:00:00.000 AM<BR />"2023-06-02 01:00:00;03","ICER61","FE44","Information","REC261","Found ANC VITC in source 01:00:00;00"<BR />host = DEN-6XMR-ICER61source = C:\Logs\2023-06-02_XREC61.logsourcetype = ICERLog<BR />6/2/23<BR />1:00:00.000 AM<BR />"2023-06-02 01:00:00;02","REC241_242","F70F","Information","REC242","Found ANC VITC in source 01:00:00;00"<BR />host = DEN-6XMR-ICER41source = C:\Logs\2023-06-02_XREC41.logsourcetype = ICERLog<BR />6/2/23<BR />1:00:00.000 AM<BR />"2023-06-02 01:00:00;03","ICER62","C2DE","Information","REC266","Found ANC VITC in source 01:00:00;00"<BR />host = DEN-6XMR-ICER62source = C:\Logs\2023-06-02_XREC62.logsourcetype = ICERLog<BR />6/2/23<BR />1:00:00.000 AM<BR />"2023-06-02 01:00:00;03","ICER61","68BC","Information","REC261","Found ANC VITC in source 01:00:00;00"<BR />host = DEN-6YMR-ICER61source = C:\Logs\2023-06-02_YREC61.logsourcetype = ICERLog<BR />6/2/23<BR />1:00:00.000 AM<BR />"2023-06-02 01:00:00;03","ICER62","EA99","Information","REC266","Found ANC VITC in source 01:00:00;00"<BR />host = DEN-6YMR-ICER62source = C:\Logs\2023-06-02_YREC62.logsourcetype = ICERLog<BR />6/1/23<BR />11:00:00.000 PM<BR />"2023-06-01 23:00:00;03","REC241_242","F2EB","Information","REC241","Found ANC VITC in source 01:00:00;00"<BR />host = DEN-6XMR-ICER41source = C:\Logs\2023-06-01_XREC41.logsourcetype = ICERLog<BR />6/1/23<BR />9:00:00.000 PM<BR />"2023-06-01 21:00:00;03","REC241_242","DA8F","Information","REC242","Found ANC VITC in source 01:00:00;00"<BR />host = DEN-6XMR-ICER41source = C:\Logs\2023-06-01_XREC41.logsourcetype = ICERLog</P><P>The ones at 01:00:00;00 to 01:00:00;03 are legit.&nbsp; The others are errors.</P><P>&nbsp;</P> Fri, 02 Jun 2023 16:44:25 GMT https://community.splunk.com/t5/Splunk-Search/How-to-setup-an-alert-but-omit-certain-time-of-day/m-p/645583#M223519 ScottW1 2023-06-02T16:44:25Z https://community.splunk.com/t5/Splunk-Search/How-to-setup-an-alert-but-omit-certain-time-of-day/m-p/645588#M223522 <P>FYI, solution found by a co-worker.&nbsp; Here is the search that omits/filters 1am UTC from the results (a second before and after):&nbsp;&nbsp;</P><P>index=morpheus6* "Found ANC VITC in source 01:00:00;00" | where !((date_hour = 1 AND date_minute = 0 AND date_second = 0) OR (date_hour = 00 AND date_minute = 59 AND date_second = 59))</P> Fri, 02 Jun 2023 17:08:24 GMT https://community.splunk.com/t5/Splunk-Search/How-to-setup-an-alert-but-omit-certain-time-of-day/m-p/645588#M223522 ScottW1 2023-06-02T17:08:24Z