Dashboards & Visualizations

how to retrieve one week data only between 6pm to 9pm

mvaradarajam
Path Finder

Hi All,
how to retrieve one week data only between 6pm to 9pm.in 1 day span

monday--- 6pm-9pm
tuesday----6pm--9pm

like that?

Tags (1)
0 Karma

Ayn
Legend

In addition to both these answers it's important to note that the date_* fields do NOT always exist in events. It only exists for events where the timestamp processor has parsed the timestamp. This is not the case for Windows event logs sent from a forwarder, for instance. If you want to make sure you always have the field date_hour, you could do something like this:

... | eval date_hour=strftime(_time,"%H") | ...
0 Karma

digdug
New Member

If you want to summarize data by day for events between 6pm and 9pm, this should get you started:

YOUR_BASIC_QUERY_HERE (date_hour>=18 AND date_hour<21) earliest=@w1 latest=@w6 | timechart span=1d count

Given your example, I assume you want results for Monday through Friday. If you wanted the full week, use earliest=@w0 latest=@w6+d.

0 Karma

kristian_kolb
Ultra Champion

Normally the retreival can be done like this;

index=bleh sourcetype=blah earliest=-7d date_hour>17 OR date_hour<21

Then you must figure out if/how you want to report on that data, i.e. making some statistics, graphs etc etc.

/K

Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...