Solved: Re: query for picking time range - at specified ti...

1234testtest · ‎01-31-2013

Hi, I have my data in the following format

Tue Jan 01 08:00:00 IST 2013 10.10.10.213 Value 23
Tue Jan 01 08:10:00 IST 2013 10.10.10.216 Value 25

I would like to prepare a query which shows average of all the values between 8-9AM everyday.

sourcetype="data" ip=10.10.10.* | stats avg(Value) will give the average but how do I specify relative time range where I get the data between 8-9AM everyday (I have options to specify time in custom time but then I have to give specific date).

Ayn · ‎01-31-2013

For most events, Splunk will extract a couple of fields beginning with date_, like for instance date_hour that you could use.

sourcetype="data" ip=10.10.10.* date_hour=8 | stats avg(Value)

View solution in original post

Ayn · ‎01-31-2013

For most events, Splunk will extract a couple of fields beginning with date_, like for instance date_hour that you could use.

sourcetype="data" ip=10.10.10.* date_hour=8 | stats avg(Value)

1234testtest · ‎02-03-2013

Thank you,

Ayn · ‎02-01-2013

Not sure why you would want to include 9:00 as well, in all usual cases this wouldn't considered to be included in the interval 8-9AM. But, if you really want, just do

sourcetype="data" ip=10.10.10.* (date_hour=8 OR (date_hour=9 AND date_minute=0)) | stats avg(Value)

date_hour uses 24-hour notation so for PM times you'd just use their 24-hour notation equivalent.

1234testtest · ‎01-31-2013

Thanks. This gives the time range from 8:00 -8:59 AM
1. How to include 9AM also into this query.
2. if the time format is 12 hour and not 24 hour, how to include AM/PM into this query.
Kindly help.

query for picking time range - at specified time everyday

Industry Solutions for Supply Chain and OT, Amazon Use Cases, Plus More New Articles ...

Enterprise Security Content Update (ESCU) | New Releases

Index This | Divide 100 by half. What do you get?