https://community.splunk.com/t5/Splunk-Search/Specific-Hour-Search/m-p/31591#M6547 <P>Ended up using the following, for anyone interested. I just needed to put the carat in the CDATA string. Thanks guys!<BR /> <SEARCHTEMPLATE>(index=windows_7 OR index=windows_2008_R2) source=wineventlog:security Process_Name="C:\Windows\System32\winlogon.exe" Logon_GUID!="{00000000-0000-0000-0000-000000000000}" host=$Computer$ user=$User$ | eval hour_of_the_day=strftime(_time,"%H") | where (hour_of_the_day &gt;= 17 &lt;![CDATA[or hour_of_the_day &lt; 6]]&gt;) | timechart count by user</SEARCHTEMPLATE></P> Mon, 28 Sep 2020 11:42:44 GMT jsb22 2020-09-28T11:42:44Z https://community.splunk.com/t5/Splunk-Search/Specific-Hour-Search/m-p/31584#M6540 <P>Anyone know splunk's built-in time variables? For example, I'm trying to create a search based on events occuring after 5 PM and before 6 AM, but the "date_hour" or "day_hour" variables that I've seen in other posts don't seem to be working. Any ideas?</P> Thu, 19 Apr 2012 23:06:43 GMT https://community.splunk.com/t5/Splunk-Search/Specific-Hour-Search/m-p/31584#M6540 jsb22 2012-04-19T23:06:43Z https://community.splunk.com/t5/Splunk-Search/Specific-Hour-Search/m-p/31585#M6541 <P>Does something like this work for you :</P> <P>Simple example , add your specific fields to the table command as you require.</P> <PRE><CODE>... | eval hour_of_the_day=strftime(_time, "%H") | where hour_of_the_day &gt;=17 or hour_of_the_day &lt; 6 | table _time </CODE></PRE> Fri, 20 Apr 2012 01:15:37 GMT https://community.splunk.com/t5/Splunk-Search/Specific-Hour-Search/m-p/31585#M6541 Damien_Dallimor 2012-04-20T01:15:37Z https://community.splunk.com/t5/Splunk-Search/Specific-Hour-Search/m-p/31586#M6542 <P>Works in the search, but not forms. Unfortunately the less than comparator is being seen as part of an html tag in my form so I'm getting "Encountered the following error while trying to update: In handler 'views': Error parsing XML on line 47: StartTag: invalid element name" Any ideas?</P> Fri, 20 Apr 2012 11:23:43 GMT https://community.splunk.com/t5/Splunk-Search/Specific-Hour-Search/m-p/31586#M6542 jsb22 2012-04-20T11:23:43Z https://community.splunk.com/t5/Splunk-Search/Specific-Hour-Search/m-p/31587#M6543 <P>When you're using "&lt;" in a search command within an XML document, that tag character is interpreted as part of the XML data rather than as part of the search command. To specify that this tag is not referring to the XML structure, use the special escaping sequence <CODE>&lt;![CDATA[</CODE> and its corresponding end sequence <CODE>]]&gt;</CODE>.</P> <P>See this question and corresponding for more details: <A href="http://splunk-base.splunk.com/answers/30157/inputlookup-in-view-with-rex">http://splunk-base.splunk.com/answers/30157/inputlookup-in-view-with-rex</A></P> Fri, 20 Apr 2012 11:28:42 GMT https://community.splunk.com/t5/Splunk-Search/Specific-Hour-Search/m-p/31587#M6543 Ayn 2012-04-20T11:28:42Z https://community.splunk.com/t5/Splunk-Search/Specific-Hour-Search/m-p/31588#M6544 <P>Thanks Ayn <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P> Fri, 20 Apr 2012 11:38:56 GMT https://community.splunk.com/t5/Splunk-Search/Specific-Hour-Search/m-p/31588#M6544 Damien_Dallimor 2012-04-20T11:38:56Z https://community.splunk.com/t5/Splunk-Search/Specific-Hour-Search/m-p/31589#M6545 <P>Still not quite working. Ayn's response cleared the error, but it's not giving the results I would expect. Search line is as follows:</P> <P><SEARCHTEMPLATE>(index=windows_7 OR index=windows_2008_R2) source=wineventlog:security Process_Name="C:\Windows\System32\winlogon.exe" Logon_GUID!="{00000000-0000-0000-0000-000000000000}" | eval hour_of_the_day=strftime(_time,"%H") | where (hour_of_the_day &gt;= 17 or hour_of_the_day &gt; &lt;![CDATA[ 6) | timechart count by user]]&gt;</SEARCHTEMPLATE></P> Mon, 28 Sep 2020 11:42:26 GMT https://community.splunk.com/t5/Splunk-Search/Specific-Hour-Search/m-p/31589#M6545 jsb22 2020-09-28T11:42:26Z https://community.splunk.com/t5/Splunk-Search/Specific-Hour-Search/m-p/31590#M6546 <P>Try wrapping the entire search in a CDATA block :</P> <P><SEARCHTEMPLATE>&lt;![CDATA[ (index=windows_7 OR index=windows_2008_R2) source=wineventlog:security Process_Name="C:\Windows\System32\winlogon.exe" Logon_GUID!="{00000000-0000-0000-0000-000000000000}" | eval hour_of_the_day=strftime(_time,"%H") | where hour_of_the_day &gt;= 17 or hour_of_the_day &gt; 6 | timechart count by user ]]&gt;</SEARCHTEMPLATE></P> Mon, 28 Sep 2020 11:42:41 GMT https://community.splunk.com/t5/Splunk-Search/Specific-Hour-Search/m-p/31590#M6546 Damien_Dallimor 2020-09-28T11:42:41Z https://community.splunk.com/t5/Splunk-Search/Specific-Hour-Search/m-p/31591#M6547 <P>Ended up using the following, for anyone interested. I just needed to put the carat in the CDATA string. Thanks guys!<BR /> <SEARCHTEMPLATE>(index=windows_7 OR index=windows_2008_R2) source=wineventlog:security Process_Name="C:\Windows\System32\winlogon.exe" Logon_GUID!="{00000000-0000-0000-0000-000000000000}" host=$Computer$ user=$User$ | eval hour_of_the_day=strftime(_time,"%H") | where (hour_of_the_day &gt;= 17 &lt;![CDATA[or hour_of_the_day &lt; 6]]&gt;) | timechart count by user</SEARCHTEMPLATE></P> Mon, 28 Sep 2020 11:42:44 GMT https://community.splunk.com/t5/Splunk-Search/Specific-Hour-Search/m-p/31591#M6547 jsb22 2020-09-28T11:42:44Z https://community.splunk.com/t5/Splunk-Search/Specific-Hour-Search/m-p/31592#M6548 <P>This information has proved useful and I've been able to use it myself. A question though, is it possible to alter this eval command to allow for searching in half hour periods?</P> <P>I'd like to do from 07:00-8:30 but using 8.5 will just round up to 9.</P> Fri, 14 Sep 2012 09:50:25 GMT https://community.splunk.com/t5/Splunk-Search/Specific-Hour-Search/m-p/31592#M6548 srw46 2012-09-14T09:50:25Z https://community.splunk.com/t5/Splunk-Search/Specific-Hour-Search/m-p/31593#M6549 <P>To access minutes in your search, you can add the following "| eval min_of_the_day=strftime(_time,"%M") " and search on "min_of_the_day" but there is an issue with my solution as if you're only searching for "min_of_the_day &lt; 31", it will only look at the first half hour of EVERY hour, not just the last one. Unfortunately I'm not good at regex strings, so this is where I have to bow out.</P> Mon, 28 Sep 2020 12:26:25 GMT https://community.splunk.com/t5/Splunk-Search/Specific-Hour-Search/m-p/31593#M6549 jsb22 2020-09-28T12:26:25Z https://community.splunk.com/t5/Splunk-Search/Specific-Hour-Search/m-p/31594#M6550 <P>This is great. I have been busting on this for quite some time. I was able to get it to work by using the format below. Thanks a bunch for the tip.</P> <P>This provides a search between 8am and 10pm for the day or days selected.<BR /> ERRORCODE=001 | eval hour_of_the_day=strftime(_time,"%H") | where hour_of_the_day&gt;07 | where hour_of_the_day&lt;22</P> Tue, 29 Sep 2020 10:20:22 GMT https://community.splunk.com/t5/Splunk-Search/Specific-Hour-Search/m-p/31594#M6550 mark_groenveld 2020-09-29T10:20:22Z