Dashboards & Visualizations
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Search blocks of time (certain hours)

mmoermans
Path Finder
‎08-28-2017 12:49 AM

Hi there,

I'm trying to get a chart of total firewall connections dropped (action=dropped) from the checkpoint firewall of the last 14 days but in two blocks of time: one between 07:00 – 19:00 (7am-7pm) and one between 19:00 – 07:00 (7pm-7am) and then a mediaan of both of the two weeks. This in a datamodel (network traffic) so the general date_hour>=7 doesn't seem to work.

How do I search for those two blocks of time in my query over 2 weeks?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎08-28-2017 02:04 AM

Hi mmoermans,
you should use in your search "eval" command to create your blocks:

| eval block=if(date_hour>6 AND date_hour<20,"Block1","Block2")

in this way you can create stats using this new field.
Bye.
Giuseppe

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎08-28-2017 02:04 AM

Hi mmoermans,
you should use in your search "eval" command to create your blocks:

| eval block=if(date_hour>6 AND date_hour<20,"Block1","Block2")

in this way you can create stats using this new field.
Bye.
Giuseppe

0 Karma
Reply
Solved! Jump to solution

mmoermans
Path Finder
‎08-28-2017 02:11 AM

Am I doing something wrong with the following search?:

| tstats `summariesonly` count from datamodel=Network_Traffic where host=firewall AND block=Block1 by All_Traffic.action
| eval block=if(date_hour>6 AND date_hour<20,"Block1","Block2")
0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎08-28-2017 02:35 AM

If you use tstats you have to save all the fields you use before tscollect, otherwise you haven't them and you need to extract from _time at search time.
In other words, you have to add to your search, before eval the following command
| eval date_hour=strftime(_time,"%H")
or modify the porevous eval in this way:

| tstats `summariesonly` count from datamodel=Network_Traffic where host=firewall AND block=Block1 by All_Traffic.action
| eval block=if(strftime(_time,"%H")>6 AND strftime(_time,"%H")<20,"Block1","Block2")

Bye.
Giuseppe

0 Karma
Reply
Get Updates on the Splunk Community!

Data Management Digest – November 2025

  Welcome to the inaugural edition of Data Management Digest! As your trusted partner in data innovation, the ...

Splunk Mobile: Your Brand-New Home Screen

Meet Your New Mobile Hub  Hello Splunk Community!  Staying connected to your data—no matter where you are—is ...

Introducing Value Insights (Beta): Understand the Business Impact your organization ...

Real progress on your strategic priorities starts with knowing the business outcomes your teams are delivering ...