Solved: query for picking time range - at specified time e...

1234testtest · ‎01-31-2013

Hi, I have my data in the following format

Tue Jan 01 08:00:00 IST 2013 10.10.10.213 Value 23
Tue Jan 01 08:10:00 IST 2013 10.10.10.216 Value 25

I would like to prepare a query which shows average of all the values between 8-9AM everyday.

sourcetype="data" ip=10.10.10.* | stats avg(Value) will give the average but how do I specify relative time range where I get the data between 8-9AM everyday (I have options to specify time in custom time but then I have to give specific date).

Ayn · ‎01-31-2013

For most events, Splunk will extract a couple of fields beginning with date_, like for instance date_hour that you could use.

sourcetype="data" ip=10.10.10.* date_hour=8 | stats avg(Value)

View solution in original post

Ayn · ‎01-31-2013

For most events, Splunk will extract a couple of fields beginning with date_, like for instance date_hour that you could use.

sourcetype="data" ip=10.10.10.* date_hour=8 | stats avg(Value)

1234testtest · ‎02-03-2013

Thank you,

Ayn · ‎02-01-2013

Not sure why you would want to include 9:00 as well, in all usual cases this wouldn't considered to be included in the interval 8-9AM. But, if you really want, just do

sourcetype="data" ip=10.10.10.* (date_hour=8 OR (date_hour=9 AND date_minute=0)) | stats avg(Value)

date_hour uses 24-hour notation so for PM times you'd just use their 24-hour notation equivalent.

1234testtest · ‎01-31-2013

Thanks. This gives the time range from 8:00 -8:59 AM
1. How to include 9AM also into this query.
2. if the time format is 12 hour and not 24 hour, how to include AM/PM into this query.
Kindly help.

query for picking time range - at specified time everyday

Uncovering Multi-Account Fraud with Splunk Banking Analytics

Secure Your Future: A Deep Dive into the Compliance and Security Enhancements for the ...

New This Month in Splunk Observability Cloud - Synthetic Monitoring updates, UI ...