Security
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Can anyone please help with constructing a search for notable events that came in outside of core hours?

LionWolf
Explorer
‎02-21-2023 12:15 PM
 
Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎02-21-2023 01:39 PM

This query looks for notable events that did not come between 0800 and 1800.  Modify it as necessary for your core hours.

index=notable
| where NOT (_time >= relative_time(_time, "@d+8h") AND _time <= relative_time(_time, "@d+18h"))
---
If this reply helps you, Karma would be appreciated.

View solution in original post

Reply
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎02-21-2023 01:39 PM

This query looks for notable events that did not come between 0800 and 1800.  Modify it as necessary for your core hours.

index=notable
| where NOT (_time >= relative_time(_time, "@d+8h") AND _time <= relative_time(_time, "@d+18h"))
---
If this reply helps you, Karma would be appreciated.
Reply
Solved! Jump to solution

LionWolf
Explorer
‎02-21-2023 04:24 PM

This worked! Thank you so much! You taught me so much with this query!

Reply
Get Updates on the Splunk Community!

Index This | I’m short for "configuration file.” What am I?

May 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with a Special ...

New Articles from Academic Learning Partners, Help Expand Lantern’s Use Case Library, ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Your Guide to SPL2 at .conf24!

So, you’re headed to .conf24? You’re in for a good time. Las Vegas weather is just *chef’s kiss* beautiful in ...