topic Re: How to edit my search to retrieve three 15 minute spans of data per day for a specified date range? in Splunk Search

How to edit my search to retrieve three 15 minute spans of data per day for a specified date range?

nmohammed — Wed, 15 Jul 2015 18:32:08 GMT

I am trying to get data from splunk on the following basis :

get data :

• From June 19 to July 2
• Every day:
o 10:00 AM to 10:15 AM
o 12:00 noon to 12:15 PM
o 2:00 PM to 2:15 PM

I have been using different searches with strftime, but getting 0 results. When I do a search on a per day basis, I am seeing numbers coming up.

My search:

sourcetype=abc type=xyz clientid=123  | eval myHour=strftime(_time, "%H") | eval myMin=strftime(_time, "%M") | where ( myHour <= 10 AND myMin >=00) AND (myHour > 10 AND myMin <=15) | stats count as Calls by _time | fieldformat Calls = tostring(Calls, "commas")

Can someone please help me figure out on how to get the required data ?

Re: How to edit my search to retrieve three 15 minute spans of data per day for a specified date range?

diogofgm — Wed, 15 Jul 2015 19:40:29 GMT

i think there's a problem with you where clause... try with this:

| where myHour=10 AND (myMin >=00 AND myMin<=15)

if it still doesn't work check if your evals (myMin and myHour) are showing proper values.

I tested it using some splunk auto extracted date fields and i was getting the proper events

index=_internal | where date_hour=10 AND (date_minute>=00 AND date_minute<=15)

Re: How to edit my search to retrieve three 15 minute spans of data per day for a specified date range?

nmohammed — Tue, 29 Sep 2020 06:42:43 GMT

thanks ., I have tried this out , both ways.. basically I had changed the structure a little here..

This had certain matching events, but did not produce any results.

I run the query simply and get the numbers , but have to select the date and time range for each day. But this process is very hectic.

sourcetype=abc type=xyz clientid=123 | stats count as Calls --> produces the numbers

Re: How to edit my search to retrieve three 15 minute spans of data per day for a specified date range?

martin_mueller — Wed, 15 Jul 2015 23:21:39 GMT

This approach should work, run this from June 19th to July 2nd:

sourcetype=abc type=xyz clientid=123 date_minute>=0 date_minute<15 (date_hour=10 OR date_hour=12 OR date_hour=14) | ...

Re: How to edit my search to retrieve three 15 minute spans of data per day for a specified date range?

nmohammed — Thu, 16 Jul 2015 00:12:06 GMT

Awesome.. !!! It worked .. Thanks much Martin .