Dashboards & Visualizations

How can we identify events based on timestamp ?

ravicheepa87
Explorer

I am indexing a file 3 times a day in splunk. Timings are around 8:30 am , 1:30 pm and 5:15 pm these are not fixed timings as job generating the file is dependent on predecessor jobs and every day timings may vary a little bit.
Each time same job runs and produce data that i want to use to create a report but i want create a seperate report for all three runs.

For example i want to make dashboard for 8:30 am run so events of 1:30 and 5:15 pm should not appear in the searchs for this dashboard. So i have to identify my events based on a timestamp range.

Can someone help me out how can i identify events based on timestamps they indexed ?

0 Karma
1 Solution

richgalloway
SplunkTrust
SplunkTrust

Use relative time ranges. earliest = @d+8h latest = @d+10h for the first report, earliest = @d+13h latest = @d+14h for the second and earliest = @d+17h latest = @d@19h for the last.

---
If this reply helps you, Karma would be appreciated.

View solution in original post

richgalloway
SplunkTrust
SplunkTrust

Use relative time ranges. earliest = @d+8h latest = @d+10h for the first report, earliest = @d+13h latest = @d+14h for the second and earliest = @d+17h latest = @d@19h for the last.

---
If this reply helps you, Karma would be appreciated.

ravicheepa87
Explorer

Hi @richgalloway thanks for the suggestion but this will give me only today's time range. But i want events between 8am to 10 am over a range of 30 days. When i try earliest =-30d@d+8h Latest = @d+10h it gives me all event from 30th day 8am in past to 10 am today but i want events from between 8-10 am for each day in past 30 days.

0 Karma

richgalloway
SplunkTrust
SplunkTrust

This would have been good to know originally.
All you can do is set the time picker for 30 days and use where to include events in the desired time range.

... | eval hour = strptime ( strftime (_time, "%H"), "%H")
| where (hour >= 8 AND hour < 10) OR (hour >= 13 AND hour < 15) OR (hour >= 17 AND hour < 19)
---
If this reply helps you, Karma would be appreciated.
0 Karma

ravicheepa87
Explorer

Hi Rich,

Thanks it's working now but it's wroking with below code:
eval hour=strftime(_time,"%H") | where (hour >= 7 AND hour < 10) . I am getting hour as spaces if i use strptime function as mentioned by you.

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...