Dashboards & Visualizations

query for picking time range - at specified time everyday

1234testtest
Path Finder

Hi, I have my data in the following format

Tue Jan 01 08:00:00 IST 2013 10.10.10.213 Value 23
Tue Jan 01 08:10:00 IST 2013 10.10.10.216 Value 25

I would like to prepare a query which shows average of all the values between 8-9AM everyday.

sourcetype="data" ip=10.10.10.* | stats avg(Value) will give the average but how do I specify relative time range where I get the data between 8-9AM everyday (I have options to specify time in custom time but then I have to give specific date).

Tags (1)
0 Karma
1 Solution

Ayn
Legend

For most events, Splunk will extract a couple of fields beginning with date_, like for instance date_hour that you could use.

sourcetype="data" ip=10.10.10.* date_hour=8 | stats avg(Value)

View solution in original post

Ayn
Legend

For most events, Splunk will extract a couple of fields beginning with date_, like for instance date_hour that you could use.

sourcetype="data" ip=10.10.10.* date_hour=8 | stats avg(Value)

1234testtest
Path Finder

Thank you,

0 Karma

Ayn
Legend

Not sure why you would want to include 9:00 as well, in all usual cases this wouldn't considered to be included in the interval 8-9AM. But, if you really want, just do

sourcetype="data" ip=10.10.10.* (date_hour=8 OR (date_hour=9 AND date_minute=0)) | stats avg(Value)

date_hour uses 24-hour notation so for PM times you'd just use their 24-hour notation equivalent.

0 Karma

1234testtest
Path Finder

Thanks. This gives the time range from 8:00 -8:59 AM
1. How to include 9AM also into this query.
2. if the time format is 12 hour and not 24 hour, how to include AM/PM into this query.
Kindly help.

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...