Dashboards & Visualizations

query for picking time range - at specified time everyday

1234testtest
Path Finder

Hi, I have my data in the following format

Tue Jan 01 08:00:00 IST 2013 10.10.10.213 Value 23
Tue Jan 01 08:10:00 IST 2013 10.10.10.216 Value 25

I would like to prepare a query which shows average of all the values between 8-9AM everyday.

sourcetype="data" ip=10.10.10.* | stats avg(Value) will give the average but how do I specify relative time range where I get the data between 8-9AM everyday (I have options to specify time in custom time but then I have to give specific date).

Tags (1)
0 Karma
1 Solution

Ayn
Legend

For most events, Splunk will extract a couple of fields beginning with date_, like for instance date_hour that you could use.

sourcetype="data" ip=10.10.10.* date_hour=8 | stats avg(Value)

View solution in original post

Ayn
Legend

For most events, Splunk will extract a couple of fields beginning with date_, like for instance date_hour that you could use.

sourcetype="data" ip=10.10.10.* date_hour=8 | stats avg(Value)

1234testtest
Path Finder

Thank you,

0 Karma

Ayn
Legend

Not sure why you would want to include 9:00 as well, in all usual cases this wouldn't considered to be included in the interval 8-9AM. But, if you really want, just do

sourcetype="data" ip=10.10.10.* (date_hour=8 OR (date_hour=9 AND date_minute=0)) | stats avg(Value)

date_hour uses 24-hour notation so for PM times you'd just use their 24-hour notation equivalent.

0 Karma

1234testtest
Path Finder

Thanks. This gives the time range from 8:00 -8:59 AM
1. How to include 9AM also into this query.
2. if the time format is 12 hour and not 24 hour, how to include AM/PM into this query.
Kindly help.

0 Karma
Get Updates on the Splunk Community!

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...

Industry Solutions for Supply Chain and OT, Amazon Use Cases, Plus More New Articles ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Enterprise Security Content Update (ESCU) | New Releases

In November, the Splunk Threat Research Team had one release of new security content via the Enterprise ...