Dashboards & Visualizations
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Search blocks of time (certain hours)

mmoermans
Path Finder
‎08-28-2017 12:49 AM

Hi there,

I'm trying to get a chart of total firewall connections dropped (action=dropped) from the checkpoint firewall of the last 14 days but in two blocks of time: one between 07:00 – 19:00 (7am-7pm) and one between 19:00 – 07:00 (7pm-7am) and then a mediaan of both of the two weeks. This in a datamodel (network traffic) so the general date_hour>=7 doesn't seem to work.

How do I search for those two blocks of time in my query over 2 weeks?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎08-28-2017 02:04 AM

Hi mmoermans,
you should use in your search "eval" command to create your blocks:

| eval block=if(date_hour>6 AND date_hour<20,"Block1","Block2")

in this way you can create stats using this new field.
Bye.
Giuseppe

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎08-28-2017 02:04 AM

Hi mmoermans,
you should use in your search "eval" command to create your blocks:

| eval block=if(date_hour>6 AND date_hour<20,"Block1","Block2")

in this way you can create stats using this new field.
Bye.
Giuseppe

0 Karma
Reply
Solved! Jump to solution

mmoermans
Path Finder
‎08-28-2017 02:11 AM

Am I doing something wrong with the following search?:

| tstats `summariesonly` count from datamodel=Network_Traffic where host=firewall AND block=Block1 by All_Traffic.action
| eval block=if(date_hour>6 AND date_hour<20,"Block1","Block2")
0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎08-28-2017 02:35 AM

If you use tstats you have to save all the fields you use before tscollect, otherwise you haven't them and you need to extract from _time at search time.
In other words, you have to add to your search, before eval the following command
| eval date_hour=strftime(_time,"%H")
or modify the porevous eval in this way:

| tstats `summariesonly` count from datamodel=Network_Traffic where host=firewall AND block=Block1 by All_Traffic.action
| eval block=if(strftime(_time,"%H")>6 AND strftime(_time,"%H")<20,"Block1","Block2")

Bye.
Giuseppe

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Observability as Code: From Zero to Dashboard

For the details on what Self-Service Observability and Observability as Code is, we have some awesome content ...

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Shape the Future of Splunk: Join the Product Research Lab!

Join the Splunk Product Research Lab and connect with us in the Slack channel #product-research-lab to get ...