I am using Splunk in a 24/7 factory production floor.
I need to define a custom time range picker for all day shifts (6AM to 6PM) and night shifts (6PM to 6AM).
I am able to define it for one shift like @d-18h (yesterday 6AM) to @d-6h (yesterday 6PM). But how to define for example this week all days 6AM to 6PM?
You could have 2 options. One a dropdown for day vs night and the other for timerange (Last 7 days etc). Then in your search, you could do like this
index=xyz earliest=$timerange.earliest$ latest=$timerange.latest$ | eval hod=strftime(_time, "%H") | eval shift=if(hod>=6 AND hod<=18, "day", "night") | where shift=$shiftselection$ | ...