How do you exclude certain days from a time range?

Marinus — Wed, 14 Apr 2010 19:36:44 GMT

If you have a time range and certain days contain data you'd like to exclude can you drop the days from your search result?

Re: How do you exclude certain days from a time range?

netwrkr — Wed, 14 Apr 2010 19:41:45 GMT

To exclude wednesday you would add 'date_wday!=wednesday' to your search.

Check this article out for more information about the internal date fields -

http://www.splunk.com/base/Documentation/4.1/User/UseDefaultAndInternalFields

Re: How do you exclude certain days from a time range?

Lowell — Wed, 14 Apr 2010 21:14:07 GMT

You could filter out events based on the _time field using a where search command. This is more difficult to setup that using date_wday, but it's very flexible.

The basic approach would be to preform your search, then grab the timerange of your searchs using the addinfo search command. Then use the where search to filter out the unwanted events in the middle of your search range.

For example, say you were searching over a 1 hour window, but want to remove the center 30 minutes (so remove events between 15 after to 45 minutes after), you could do a search like this:

<your search> earliest=-1h@h latest=@h | addinfo | where _time < (info_min_time+900) OR _time > (info_max_time-900)

Some additional thoughts:

Along with info_min_time, info_max_time which I used in this example, there is also info_search_time which could be used if you wanted to do some time operations relative to the system time when you run your search.

Note that you can also use _indextime here, if you wanted to look at when your events were actually indexed rather than when your events occurred; which is sometimes interesting to look at.

topic Re: How do you exclude certain days from a time range? in Splunk Search

How do you exclude certain days from a time range?

Re: How do you exclude certain days from a time range?

Re: How do you exclude certain days from a time range?