https://community.splunk.com/t5/Splunk-Search/how-can-i-filter-my-output-to-display-only-the-user-results/m-p/237140#M70479 <P>The output I'm getting currently with the above query is as below.</P> <P>user_id yesterday average_of_last_7days standard_deviation_of_last_7days<BR /> A 06:16--05:13 14:04--03:40 02:45--04:57<BR /> B 07:08--05:20 14:06--03:51 03:04--04:54<BR /> C 13:45--05:24 17:57--04:00 01:33--04:54<BR /> D 05:29--05:28 20:23--14:39 07:27--07:34<BR /> E 05:10--05:10 05:10--05:10 01:00--01:00<BR /> F 12:11--12:11 12:11--12:11 01:00--01:00</P> <P>I am expection the output should contain only the time in between 19:00 PM to 6:00 AM of next day and also satifying the condition on my question.</P> Tue, 29 Sep 2020 11:52:08 GMT pavanae 2020-09-29T11:52:08Z https://community.splunk.com/t5/Splunk-Search/how-can-i-filter-my-output-to-display-only-the-user-results/m-p/237138#M70477 <P>Hi everyone,</P> <P>Since I dont have much knowledge on Splunk query language. I am struggling for the past one week to sort out the results from a splunk query which is described as below.</P> <P>I want to define the "normal" time a user is working on Yesterday. This time-interval has to be between 18:00 day1 and 06:00 day2. Similarly for 7 consequent days I have to calculate his average working time range for the last 7 days which should be between 18:00 day1 and 06:00 day2 like we trying for yesterday. </P> <P>And display them both.</P> <P>I have acheived somewhat with the help of some of the splunksters in this site with the following Splunk Query</P> <P>For some reason I couldn't able post my complete query so pasting a picture. please check the picture for my splunk query.</P> <P><IMG src="https://community.splunk.com/storage/temp/173279-query2.png" alt="alt text" /> </P> <P>how can i filter my output to display only the user results which satisfies the condition substraction of the fields <STRONG>a_e and y_e</STRONG> is greater than 3 hours. </P> <P>Where a_e and y_e are the epoch times converted to human readable time.</P> <P>I know that I have been posting simillar questions for the past 1 week but due to my Unformulated English I failed to explain what I'm exactly looking for. </P> Tue, 29 Sep 2020 11:52:05 GMT https://community.splunk.com/t5/Splunk-Search/how-can-i-filter-my-output-to-display-only-the-user-results/m-p/237138#M70477 pavanae 2020-09-29T11:52:05Z https://community.splunk.com/t5/Splunk-Search/how-can-i-filter-my-output-to-display-only-the-user-results/m-p/237139#M70478 <P>If you give an example of output from current query and some sample of how you want it to be arranged, it will be useful for others to assist.</P> Wed, 23 Nov 2016 17:05:51 GMT https://community.splunk.com/t5/Splunk-Search/how-can-i-filter-my-output-to-display-only-the-user-results/m-p/237139#M70478 niketn 2016-11-23T17:05:51Z https://community.splunk.com/t5/Splunk-Search/how-can-i-filter-my-output-to-display-only-the-user-results/m-p/237140#M70479 <P>The output I'm getting currently with the above query is as below.</P> <P>user_id yesterday average_of_last_7days standard_deviation_of_last_7days<BR /> A 06:16--05:13 14:04--03:40 02:45--04:57<BR /> B 07:08--05:20 14:06--03:51 03:04--04:54<BR /> C 13:45--05:24 17:57--04:00 01:33--04:54<BR /> D 05:29--05:28 20:23--14:39 07:27--07:34<BR /> E 05:10--05:10 05:10--05:10 01:00--01:00<BR /> F 12:11--12:11 12:11--12:11 01:00--01:00</P> <P>I am expection the output should contain only the time in between 19:00 PM to 6:00 AM of next day and also satifying the condition on my question.</P> Tue, 29 Sep 2020 11:52:08 GMT https://community.splunk.com/t5/Splunk-Search/how-can-i-filter-my-output-to-display-only-the-user-results/m-p/237140#M70479 pavanae 2020-09-29T11:52:08Z https://community.splunk.com/t5/Splunk-Search/how-can-i-filter-my-output-to-display-only-the-user-results/m-p/237141#M70480 <P>Try this. The only changes to your original query are the <CODE>| where strftime(_time, "%H") &gt;=18 OR hod&lt;=6</CODE> AND <CODE>| where (a_e-y_e)&gt;=1800</CODE> rest of your query remains the same. I have mocked up your query with <CODE>...</CODE> inserting only the changes at relevant places in your query. </P> <PRE><CODE>earliest=-7d@d | eval hod=strftime(_time, "%H") | where hod&gt;=18 OR hod&lt;=6 | eval days=... | eval when=... | stats ... | stats ... | where (a_e-y_e)&gt;=1800 | convert ctime(a*) ... | rest of your original query here </CODE></PRE> Wed, 23 Nov 2016 20:37:48 GMT https://community.splunk.com/t5/Splunk-Search/how-can-i-filter-my-output-to-display-only-the-user-results/m-p/237141#M70480 sundareshr 2016-11-23T20:37:48Z https://community.splunk.com/t5/Splunk-Search/how-can-i-filter-my-output-to-display-only-the-user-results/m-p/237142#M70481 <P>Thank you very much @sundareshr. Got an error while executing the search with your suggested changes.</P> <P><STRONG>"Error in 'where' command: Typechecking failed. The '&gt;=' operator received different types."</STRONG></P> Wed, 23 Nov 2016 20:46:47 GMT https://community.splunk.com/t5/Splunk-Search/how-can-i-filter-my-output-to-display-only-the-user-results/m-p/237142#M70481 pavanae 2016-11-23T20:46:47Z https://community.splunk.com/t5/Splunk-Search/how-can-i-filter-my-output-to-display-only-the-user-results/m-p/237143#M70482 <P>My bad, try the updated search</P> Wed, 23 Nov 2016 20:51:07 GMT https://community.splunk.com/t5/Splunk-Search/how-can-i-filter-my-output-to-display-only-the-user-results/m-p/237143#M70482 sundareshr 2016-11-23T20:51:07Z https://community.splunk.com/t5/Splunk-Search/how-can-i-filter-my-output-to-display-only-the-user-results/m-p/237144#M70483 <P>thanks again for your time @sundareshr. But didn't seen any results now. just resulted as No results found.</P> Wed, 23 Nov 2016 21:03:49 GMT https://community.splunk.com/t5/Splunk-Search/how-can-i-filter-my-output-to-display-only-the-user-results/m-p/237144#M70483 pavanae 2016-11-23T21:03:49Z https://community.splunk.com/t5/Splunk-Search/how-can-i-filter-my-output-to-display-only-the-user-results/m-p/237145#M70484 <P>do you get data if you remove the <CODE>where</CODE> clause? try removing one at a time to see what causes no data</P> Wed, 23 Nov 2016 21:36:01 GMT https://community.splunk.com/t5/Splunk-Search/how-can-i-filter-my-output-to-display-only-the-user-results/m-p/237145#M70484 sundareshr 2016-11-23T21:36:01Z https://community.splunk.com/t5/Splunk-Search/how-can-i-filter-my-output-to-display-only-the-user-results/m-p/237146#M70485 <P>After removing the following lines I was able to see the data. But thank you the condition "| where (a_e-y_e)&gt;=1800" worked as expected. <a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/140181">@sundareshr</a></P> <P>| eval hod=strftime(_time, "%H")<BR /> | where hod&gt;=18 AND hod&lt;=6</P> Tue, 29 Sep 2020 11:55:13 GMT https://community.splunk.com/t5/Splunk-Search/how-can-i-filter-my-output-to-display-only-the-user-results/m-p/237146#M70485 pavanae 2020-09-29T11:55:13Z https://community.splunk.com/t5/Splunk-Search/how-can-i-filter-my-output-to-display-only-the-user-results/m-p/237147#M70486 <P><span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span> That should be <CODE>where hod&gt;=18 OR hod&lt;=6</CODE>. I've update the original as well.</P> Thu, 24 Nov 2016 14:05:33 GMT https://community.splunk.com/t5/Splunk-Search/how-can-i-filter-my-output-to-display-only-the-user-results/m-p/237147#M70486 sundareshr 2016-11-24T14:05:33Z