I am indexing a file 3 times a day in splunk. Timings are around 8:30 am , 1:30 pm and 5:15 pm these are not fixed timings as job generating the file is dependent on predecessor jobs and every day timings may vary a little bit.
Each time same job runs and produce data that i want to use to create a report but i want create a seperate report for all three runs.
For example i want to make dashboard for 8:30 am run so events of 1:30 and 5:15 pm should not appear in the searchs for this dashboard. So i have to identify my events based on a timestamp range.
Can someone help me out how can i identify events based on timestamps they indexed ?
Use relative time ranges. earliest = @d+8h latest = @d+10h
for the first report, earliest = @d+13h latest = @d+14h
for the second and earliest = @d+17h latest = @d@19h
for the last.
Use relative time ranges. earliest = @d+8h latest = @d+10h
for the first report, earliest = @d+13h latest = @d+14h
for the second and earliest = @d+17h latest = @d@19h
for the last.
Hi @richgalloway thanks for the suggestion but this will give me only today's time range. But i want events between 8am to 10 am over a range of 30 days. When i try earliest =-30d@d+8h Latest = @d+10h it gives me all event from 30th day 8am in past to 10 am today but i want events from between 8-10 am for each day in past 30 days.
This would have been good to know originally.
All you can do is set the time picker for 30 days and use where
to include events in the desired time range.
... | eval hour = strptime ( strftime (_time, "%H"), "%H")
| where (hour >= 8 AND hour < 10) OR (hour >= 13 AND hour < 15) OR (hour >= 17 AND hour < 19)
Hi Rich,
Thanks it's working now but it's wroking with below code:
eval hour=strftime(_time,"%H") | where (hour >= 7 AND hour < 10) . I am getting hour as spaces if i use strptime function as mentioned by you.