https://community.splunk.com/t5/Splunk-Search/How-to-search-for-a-field-value-during-a-certain-period-of-time/m-p/276995#M83540 <P>Hi </P> <P>I have an extracted field from regex, ie Time_extract which gives hour. Now I want to get the logs between a period of time, ie <CODE>time_extract&gt;=10 AND time_extract&lt;23</CODE> ..how to go about that?</P> <P>Current search:</P> <PRE><CODE>Date_extract="10/29/16" | stats count by severity | where Time_extract&gt;=12 AND Time_extract&lt;23 </CODE></PRE> Tue, 29 Sep 2020 11:34:33 GMT arunkuriakose 2020-09-29T11:34:33Z https://community.splunk.com/t5/Splunk-Search/How-to-search-for-a-field-value-during-a-certain-period-of-time/m-p/276995#M83540 <P>Hi </P> <P>I have an extracted field from regex, ie Time_extract which gives hour. Now I want to get the logs between a period of time, ie <CODE>time_extract&gt;=10 AND time_extract&lt;23</CODE> ..how to go about that?</P> <P>Current search:</P> <PRE><CODE>Date_extract="10/29/16" | stats count by severity | where Time_extract&gt;=12 AND Time_extract&lt;23 </CODE></PRE> Tue, 29 Sep 2020 11:34:33 GMT https://community.splunk.com/t5/Splunk-Search/How-to-search-for-a-field-value-during-a-certain-period-of-time/m-p/276995#M83540 arunkuriakose 2020-09-29T11:34:33Z https://community.splunk.com/t5/Splunk-Search/How-to-search-for-a-field-value-during-a-certain-period-of-time/m-p/276996#M83541 <P>Does Splunk not automatically extract the field "date_hour" for you? If you look at your data in a search dashboard, do you see "date_hour" extracted if you run the search in "Verbose mode" (changed "Fast Mode" or "Smart Mode" under the time picker to "Verbose Mode).</P> <P>If you do see "date_hour", you should be able to change your search to something like this (note, expressions in the base search use implicit AND logic):</P> <P><CODE>&lt;base_search&gt; date_hour&gt;=12 date_hour&lt;23 | stats count by severity</CODE></P> Tue, 29 Sep 2020 11:37:31 GMT https://community.splunk.com/t5/Splunk-Search/How-to-search-for-a-field-value-during-a-certain-period-of-time/m-p/276996#M83541 rjthibod 2020-09-29T11:37:31Z https://community.splunk.com/t5/Splunk-Search/How-to-search-for-a-field-value-during-a-certain-period-of-time/m-p/276997#M83542 <P>Can you have a look at the link provided here which explains both extraction of hour and searching on it or alternatively using date_hour (and what could be the consequences of it in <a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/188962">@ppablo</a>_splunk 's comments of the post):</P> <P><A href="https://answers.splunk.com/answers/469147/how-to-adjust-the-time-in-a-timechart.html#answer-469150" target="_blank">https://answers.splunk.com/answers/469147/how-to-adjust-the-time-in-a-timechart.html#answer-469150</A></P> <P>However what you should be looking at is something like below:</P> <PRE><CODE>your Query that returns data |eval myHour=strftime(_time, "%H") | where myHour&gt;=12 AND myHour&lt;23 | stats count by severity </CODE></PRE> Tue, 29 Sep 2020 11:34:36 GMT https://community.splunk.com/t5/Splunk-Search/How-to-search-for-a-field-value-during-a-certain-period-of-time/m-p/276997#M83542 gokadroid 2020-09-29T11:34:36Z https://community.splunk.com/t5/Splunk-Search/How-to-search-for-a-field-value-during-a-certain-period-of-time/m-p/276998#M83543 <P>You just need to do the <CODE>where time_extract</CODE> BEFORE the <CODE>stats</CODE> command. You could also combine the two filters, like this</P> <P>... | where Date_extract="10/29/16" AND (Time_extract&gt;=12 AND Time_extract&lt;23) | stats count by severity</P> Tue, 29 Sep 2020 11:34:42 GMT https://community.splunk.com/t5/Splunk-Search/How-to-search-for-a-field-value-during-a-certain-period-of-time/m-p/276998#M83543 sundareshr 2020-09-29T11:34:42Z