topic Re: How to get 3 different hours data in Splunk Search

How to get 3 different hours data

prathapkcsc — Tue, 29 Sep 2020 14:11:23 GMT

In where_time=desired_times,
my desired timings are 8AM,12PM,18PM.
How to give all 3 timings in that where clause?
Anyone can help me?

Thank you

Re: How to get 3 different hours data

niketn — Wed, 24 May 2017 06:46:48 GMT

It should ideally go in your base search using extracted field date_hour. However you have defined a span of 4 hours on _time. Do you want 8 AM to 12:00 PM 12:00 PM to 16:00 PM and from 18:00 PM to 22:00 PM?

< Your base search > (date_hour>=08 AND date_hour<=16 ) OR (date_hour>=18 AND date_hour<=24 )

Re: How to get 3 different hours data

prathapkcsc — Tue, 29 Sep 2020 14:11:56 GMT

NO i want only 8AM,12PM,18PM data.
my search looks like this
your base search
| rex "(AM|PM)\s+(?[^,]+),\s+?(?[^,]+),\s+?(?[^,]+),\s+?(?[^,]+),\s+?(?\d+),\s+?(?\d+),\s+?(?\d+)"
| bin _time as desired_times span=4h
| where _time = desired_times
| table _time SERV NODE CPU MEM DISK

now i want only 8AM,12PM,18PM data?

Re: How to get 3 different hours data

niketn — Thu, 25 May 2017 05:16:50 GMT

Your code is getting escaped please post with Code button (101010). date_hour should still work... Following in the base search should give you event only from specific hours

 < Your base search > (date_hour=08 OR date_hour=12  OR date_hour=18

Re: How to get 3 different hours data

somesoni2 — Thu, 25 May 2017 05:28:34 GMT

Try like this

base search | reg " " |  bin _time as desired_times span=4h |  where strftime(desired_times,"%H")="08" OR strftime(desired_times,"%H")="12" OR strftime(desired_times,"%H")="18"

Re: How to get 3 different hours data

prathapkcsc — Thu, 25 May 2017 05:53:02 GMT

i am not getting any events

Re: How to get 3 different hours data

somesoni2 — Thu, 25 May 2017 05:59:24 GMT

How about this (the last where clause)

|  where tonumber(strftime(desired_times,"%H"))=8 OR tonumber(strftime(desired_times,"%H"))=12 OR tonumber(strftime(desired_times,"%H"))=18

Re: How to get 3 different hours data

prathapkcsc — Thu, 25 May 2017 06:00:52 GMT

still no results found

Re: How to get 3 different hours data

prathapkcsc — Thu, 25 May 2017 06:02:24 GMT

its giving me the results but in table statistics all hours are displaying without data,
I want to display only those 3 hrs in table statistics

Re: How to get 3 different hours data

somesoni2 — Thu, 25 May 2017 06:04:16 GMT

Strange. What is your full query? You're getting events before the where clause?

Try this as well

your base search | some regex | eval hour=tonumber(strftime(_time,"%H")) | where hour>=8 AND hour<=18

Re: How to get 3 different hours data

prathapkcsc — Tue, 29 Sep 2020 14:11:59 GMT

yes am getting the results with all hours of data.
my search query is
base search
|rex ".?(?[^,]+),\s?(?[^,]+),\s*?(?[^,]+),\s*?(?[^,]+),\s*?(?\d+),\s*?(?\d+),\s*?(?\d+),\s*?(?\d+),\s*?(?\d+)"
|bin _time as desired_times span=4h | where tonumber(strftime(desired_times,"%H"))=8 OR tonumber(strftime(desired_times,"%H"))=12 OR tonumber(strftime(desired_times,"%H"))=18|table _time,server,DISK
| timechart limit=0 max(DISK) as DISK by server

i included your suggession thats not giving any results

Re: How to get 3 different hours data

prathapkcsc — Thu, 25 May 2017 06:11:40 GMT

Its working now.But remaining all fields are also coming with no data.I want to display only my required fields in the statistics table

Re: How to get 3 different hours data

somesoni2 — Thu, 25 May 2017 06:13:57 GMT

Add a table command after the where clause.

...| table list of fields that you want to show