Solved: Re: How do you insert a time range inside a query?

zacksoft · ‎01-21-2019

I am trying to define my search range inside a query by using the earliest / latest parameter or something similar. But, I am getting a syntax error. I tried a few different techniques.

The condition is...
"I want to count the number of events generated between 10 AM to 2 PM everyday for last 50 days"

kamlesh_vaghela · ‎01-21-2019

@zacksoft

Can you please try this?

YOUR_SEARCH
 | eval date_hour=strftime(_time, "%H") 
 | search date_hour>=10 date_hour<=14 | stats count

Adding minute filter

YOUR_SEARCH
    | eval date_hour=strftime(_time, "%H"), date_min=strftime(_time, "%M") 
    | search date_hour>10 date_hour<14 OR (date_hour=10 date_min>=30) OR (date_hour=14 date_min<=45)  | stats count

Thanks

View solution in original post

kamlesh_vaghela · ‎01-21-2019

@zacksoft

Can you please try this?

YOUR_SEARCH
 | eval date_hour=strftime(_time, "%H") 
 | search date_hour>=10 date_hour<=14 | stats count

Adding minute filter

YOUR_SEARCH
    | eval date_hour=strftime(_time, "%H"), date_min=strftime(_time, "%M") 
    | search date_hour>10 date_hour<14 OR (date_hour=10 date_min>=30) OR (date_hour=14 date_min<=45)  | stats count

Thanks

zacksoft · ‎01-21-2019

Thanks,
What if I want to make it between 10:45 AM to 02:30 PM ?
How do I add the minute field ?

kamlesh_vaghela · ‎01-21-2019

@zacksoft

I have updated my Answer. Can you please check it?

How do you insert a time range inside a query?

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

What’s New in Splunk Observability – September 2025

Fun with Regular Expression - multiples of nine

Are you a member of the Splunk Community?

How do you insert a time range inside a query?

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

What’s New in Splunk Observability – September 2025

Fun with Regular Expression - multiples of nine