Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to exclude specific time ranges in search results

jedatt01
Builder
‎03-26-2014 07:50 AM

I have a datasource which contains availability statistics from an application. I also have a predetermined maintenance schedule that occurs every two weeks on the same day and time. How can I use search to exclude the date/time ranges for my maintenance schedule in my search results?

Tags (1)
Reply
1 Solution
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎03-26-2014 08:16 AM

If do something like this

index=yourIndex| eval MaintEnd=strptime("2014/03/26 11:00:00 AM","%Y/%m/%d %H:%M:%S %p") | eval MaintStart=strptime("2014/03/26 10:50:00 AM","%Y/%m/%d %H:%M:%S %p") | where _time > MaintEnd OR _time < MaintStart

View solution in original post

Reply
Solved! Jump to solution

jiman7697
Explorer
‎04-10-2019 10:12 AM

If you're trying to detect a 0-event period excluding some outage window timeframe, here's a generic search you could use:

index=my_index sourcetype=my_sourcetype  my_filter_criteria_here
| timechart span=1m count 
| search count=0 
| where NOT (date_wday=="sunday" AND date_hour >= 0 AND date_hour < 4)

I'm doing the where clause after detecting 0-event minutes because if you initially filter by those windows, you'll see no events there. Obviously if you are looking for a certain event rather than monitoring for a void in events you can do that filter right in the first line of the search.
You'd have to add more to your where clause to specify bi-weekly windows.

0 Karma
Reply
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎03-26-2014 08:16 AM

If do something like this

index=yourIndex| eval MaintEnd=strptime("2014/03/26 11:00:00 AM","%Y/%m/%d %H:%M:%S %p") | eval MaintStart=strptime("2014/03/26 10:50:00 AM","%Y/%m/%d %H:%M:%S %p") | where _time > MaintEnd OR _time < MaintStart
Reply
Solved! Jump to solution

martin_mueller
SplunkTrust
SplunkTrust
‎03-26-2014 08:37 AM

If the maintenance window were every wednesday between 3am and 5am you could do this:

index=yourIndex NOT (date_wday=wednesday date_hour>=3 date_hour<5)

Then Splunk would not even load those events off disk - great if a lot of volume happens during maintenance.
However, I don't think there's a straightforward way of specifying "every other wednesday".

Reply
Solved! Jump to solution

jedatt01
Builder
‎03-26-2014 08:33 AM

That gets me closer. Now how can I specify a relative day, like every friday?

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Register for .conf25!
Get Updates on the Splunk Community!

.conf25 Global Broadcast: Don’t Miss a Moment

Hello Splunkers, .conf25 is only a click away.  Not able to make it to .conf25 in person? No worries, you can ...

Observe and Secure All Apps with Splunk

 Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

What's New in Splunk Observability - August 2025

What's New We are excited to announce the latest enhancements to Splunk Observability Cloud as well as what is ...