Dashboards & Visualizations
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
- Find Answers
- :
- Using Splunk
- :
- Dashboards & Visualizations
- :
- Select Time Range
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
laudai
Path Finder
04-24-2017
01:30 AM
He guys
I have 2 years data
how do I get the Specify time ranges
e.g. from 6am to 12pm every days
Thanks for your answer.
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
dineshraj9
Builder
04-24-2017
01:34 AM
Just restrict the inbuilt date_hour field to values 6 - 12
index=<your_index> | where date_hour>=6 and date_hour<=12
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
gcusello
SplunkTrust
04-24-2017
01:58 AM
Hi laudai,
in you search insert the following condition:
your_search date_hour>5 | ...
Bye.
Giuseppe
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
dineshraj9
Builder
04-24-2017
01:34 AM
Just restrict the inbuilt date_hour field to values 6 - 12
index=<your_index> | where date_hour>=6 and date_hour<=12
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
niketn
Legend
04-24-2017
02:01 AM
I would actually pipe to base search rather than additional where clause for two reasons:
1) Filtering records upfront in base search is faster.
2) search fieldName=value is faster than where fieldname=value
index=<your_index> date_hour>=6 and date_hour<=12
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
| makeresults | eval message= "Happy Splunking!!!"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
laudai
Path Finder
04-24-2017
02:39 AM
Is there has column name date_hour ? I can't use this search so I use Regular Expression
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
dineshraj9
Builder
04-24-2017
02:45 AM
date_* default fields are not available for all sources, for instance they are not present for Windows event logs.
https://docs.splunk.com/Documentation/Splunk/6.5.3/Knowledge/Usedefaultfields
You can try creating the field like below and then filter -
| eval date_hour=strftime(_time,"%H") | where date_hour>=6 and date_hour<=12
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
laudai
Path Finder
04-24-2017
03:15 AM
Thanks for your answer.
Related Topics
Get Updates on the Splunk Community!
Demo Day: Strengthen Your SOC with Splunk Enterprise Security 8.1
Today’s threat landscape is more complex than ever. Security operation centers (SOCs) are overwhelmed with ...
Dashboards: Hiding charts while search is being executed and other uses for tokens
There are a couple of features of SimpleXML / Classic dashboards that can be used to enhance the user ...
Splunk Observability Cloud's AI Assistant in Action Series: Explaining Metrics and ...
This is the fourth post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how ...
