Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to check if a time field is between two hour values?

caiomozer
Engager
‎04-23-2020 01:24 PM

Hello,

I have a situation where I need to check if a time field, 'report_date' in format "%Y-%m-%d %H:%M:%S" happened between 7 AM and 4 PM of that same day. I cant figure out how to do that comparison. I dont know how to get the hour value from my report_date field.

I'm trying to do that so I can make a filter to see how many reports were made in a specific period of the day so I can tell which shift recieved the report (the recieving time is not the same as the event time in splunk in that particular scenario), and I need to filter by shift.

So far what I did:
index=raw_maximo INCIDENTE=I* GR_RESP="OPERACAO"
| eval shift1=strptime(report_date,"%Y-%m-%d %H:%M:%S")
| where shift1 >= "07:00:00" AND shift1 <"16:00:00" (SOMETHING HAS TO BE CHANGED HERE, I'm comparing time with string atm)
|stats count(INCIDENTE) (I dont really remember what goes here, but not relevant, is just a count...)

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

DalJeanis
Legend
‎04-23-2020 03:13 PM

Your report-date field is in this format - "%Y-%m-%d %H:%M:%S"

So an example looks like 

2020-04-23 12:12:21

That hour is already in the format you want. strptime is the wrong tool here. All you have to do to get what you want is to drop the first 11 characters and keep the last 8.

Try this:

index=raw_maximo INCIDENTE=I* GR_RESP="OPERACAO"
| eval shift1=substr(report_date,12,8)
| where shift1 >= "07:00:00" AND shift1 <"16:00:00"

View solution in original post

0 Karma
Reply
Solved! Jump to solution

darrenfuller
Contributor
‎04-24-2020 09:45 AM

Is the _time of the event equal to the report_date field?

If so, you could do something like this: 

index=raw_maximo INCIDENTE=I* GR_RESP=OPERACAO" date_hour>=7 date_hour<=16

if not, then you can do something like this: 

| makeresults
| eval report_date="2020-04-20 16:20:00|2020-04-20 09:04:20|2020-04-20 17:04:20|2020-04-20 04:20:00|2020-04-20 08:04:20"
| makemv report_date delim="|" | mvexpand report_date | fields - _time
| eval report_date_hour=strftime(strptime(report_date, "%Y-%m-%d %H:%M:%S"), "%H")
| eval is_between_700_and_1600=if(report_date_hour>=7 AND report_date_hour<16, 1, 0)

Where you strptime the string to get epoch and strftime the output to get hour by itself...

0 Karma
Reply
Solved! Jump to solution
Solution

DalJeanis
Legend
‎04-23-2020 03:13 PM

Your report-date field is in this format - "%Y-%m-%d %H:%M:%S"

So an example looks like 

2020-04-23 12:12:21

That hour is already in the format you want. strptime is the wrong tool here. All you have to do to get what you want is to drop the first 11 characters and keep the last 8.

Try this:

index=raw_maximo INCIDENTE=I* GR_RESP="OPERACAO"
| eval shift1=substr(report_date,12,8)
| where shift1 >= "07:00:00" AND shift1 <"16:00:00"
0 Karma
Reply
Solved! Jump to solution

caiomozer
Engager
‎04-24-2020 02:58 PM

YES! I can`t believe it was THAT simple! Thank you so much! It worked!

Reply
Solved! Jump to solution

DalJeanis
Legend
‎04-30-2020 08:35 AM

@caiomozer - It's always easiest to see someone ELSE's issues. Can't tell you the number of hours we've spent chasing things like that over the decades.

0 Karma
Reply
Get Updates on the Splunk Community!

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...