Dashboards & Visualizations

How can we identify events based on timestamp ?

ravicheepa87
Explorer

I am indexing a file 3 times a day in splunk. Timings are around 8:30 am , 1:30 pm and 5:15 pm these are not fixed timings as job generating the file is dependent on predecessor jobs and every day timings may vary a little bit.
Each time same job runs and produce data that i want to use to create a report but i want create a seperate report for all three runs.

For example i want to make dashboard for 8:30 am run so events of 1:30 and 5:15 pm should not appear in the searchs for this dashboard. So i have to identify my events based on a timestamp range.

Can someone help me out how can i identify events based on timestamps they indexed ?

0 Karma
1 Solution

richgalloway
SplunkTrust
SplunkTrust

Use relative time ranges. earliest = @d+8h latest = @d+10h for the first report, earliest = @d+13h latest = @d+14h for the second and earliest = @d+17h latest = @d@19h for the last.

---
If this reply helps you, Karma would be appreciated.

View solution in original post

richgalloway
SplunkTrust
SplunkTrust

Use relative time ranges. earliest = @d+8h latest = @d+10h for the first report, earliest = @d+13h latest = @d+14h for the second and earliest = @d+17h latest = @d@19h for the last.

---
If this reply helps you, Karma would be appreciated.

ravicheepa87
Explorer

Hi @richgalloway thanks for the suggestion but this will give me only today's time range. But i want events between 8am to 10 am over a range of 30 days. When i try earliest =-30d@d+8h Latest = @d+10h it gives me all event from 30th day 8am in past to 10 am today but i want events from between 8-10 am for each day in past 30 days.

0 Karma

richgalloway
SplunkTrust
SplunkTrust

This would have been good to know originally.
All you can do is set the time picker for 30 days and use where to include events in the desired time range.

... | eval hour = strptime ( strftime (_time, "%H"), "%H")
| where (hour >= 8 AND hour < 10) OR (hour >= 13 AND hour < 15) OR (hour >= 17 AND hour < 19)
---
If this reply helps you, Karma would be appreciated.
0 Karma

ravicheepa87
Explorer

Hi Rich,

Thanks it's working now but it's wroking with below code:
eval hour=strftime(_time,"%H") | where (hour >= 7 AND hour < 10) . I am getting hour as spaces if i use strptime function as mentioned by you.

0 Karma
Get Updates on the Splunk Community!

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...