Dashboards & Visualizations

how to display information for a specific time range everyday

Explorer

Good day

I have a query i have generated. I want the query to show me events from 11pm to 6am ONLY. So if i select from month to date it only shows information of the time range i have specified.

SubscriberId=$msisdn$ | stats sum(TBytes) as total, sum(RBytes) as received, sum(TxBytes) as transmitted | eval total_mb=total/1000/1000 | eval received_mb=received/1000/1000 | eval transmitted_mb=transmitted/1000/1000

Tags (1)

SplunkTrust
SplunkTrust

Hi nyasharashad59,

Can you please try below search??

SubscriberId=$msisdn$ | timechart sum(TBytes) as TBytes, sum(RBytes) as RBytes, sum(TxBytes) as TxBytes span=1s 
| convert ctime(_time) as Time timeformat="%H%M%S" 
| where (Time>230000 AND Time<235959) OR (Time<060000) 
| stats sum(TBytes) as total, sum(RBytes) as received, sum(TxBytes) as transmitted 
| eval total_mb=total/1000/1000 
| eval received_mb=received/1000/1000 
| eval transmitted_mb=transmitted/1000/1000

You can change Time Range in where condition.

I hope I will work.

Thanks

0 Karma

SplunkTrust
SplunkTrust

@kamlesh_vaghela - good start. Two suggestions... (1) Since time cannot be greater than 24, you don't need the second half of the first time condition. (2) the remaining time conditions will exclude items that happen at exactly 230000 and 06000000, so change those to >= and <=.

You could also just use the "%H" portion and test for >="23" and <="06"

0 Karma

SplunkTrust
SplunkTrust

Yeah, That's true.
It will be very much clear and simple to compare hours.

Thanks @DalJeanis.

Hi nyasharashad59,

Can you please try below revised search??

SubscriberId=$msisdn$ | timechart sum(TBytes) as TBytes, sum(RBytes) as RBytes, sum(TxBytes) as TxBytes span=1s 
| convert ctime(_time) as Time timeformat="%H" | where Time>=23 OR Time<6 
| stats sum(TBytes) as total, sum(RBytes) as received, sum(TxBytes) as transmitted 
| eval total_mb=total/1000/1000 
| eval received_mb=received/1000/1000 
| eval transmitted_mb=transmitted/1000/1000

Thanks

SplunkTrust
SplunkTrust

@kamlesh_vaghela <=6

0 Karma

SplunkTrust
SplunkTrust

Hi DalJeanis,
Here we are comparing Hours only so Don't you think <=6 will fetch event after 6 am also?? means events of (%H:%M) 6:10 ...6:50...6:59 .. We need events up to 6AM only.

0 Karma

Legend

@DalJeanis, @kamlesh_vaghela, we should always consider filtering records upfront. So using date_hour in base search will have better performance as compared to filtering later in the search.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

Legend

@nyasharashad59, you can use date_hour field to filter events based on specific hours your require:

<YourBaseSearch> SubscriberId=$msisdn$ date_hour=23 OR (date_hour>=0 AND date_hour<7)
| <YourRemainingSearch>
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

SplunkTrust
SplunkTrust

@niketnilay - isn't the >=0 redundant?

Legend

Yes it is. Habit or reflex typed it without thinking 🙂

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!