Splunk Enterprise Security

How to customize date/time range in search?

itsmevic
Communicator

Hello,

Rather than run three separate reports on three different dates, I'd like to run ONE report that only encapsulates the following dates:

May 9, 2020, May 16, 2020, and May 23, 2020, and I'd like to search those days between the times 11:00 AM to 1:00 PM.

Thank you for your help!

Example of my search I'd like to incorporate it in:

*"IP Address" OR "IP Address" OR "IP Address"
| timechart count by src
| sort -count*
Labels (1)
0 Karma
1 Solution

richgalloway
SplunkTrust
SplunkTrust

You could use a series of append commands, but that's pretty much like running 3 searches.

Perhaps this will do what you want. It uses hard-coded dates since that is what you asked for. Run it with a time window starting early on 9 May 20.

index=foo "IP Address" OR "IP Address" OR "IP Address"
| where (_time >= strptime("May 9, 2020 11:00 AM", "%b %d, %Y %H:%M %p") AND _time <= strptime("May 9, 2020 1:00 PM", "%b %d, %Y %H:%M %p")) 
  OR (_time >= strptime("May 16, 2020 11:00 AM", "%b %d, %Y %H:%M %p") AND _time <= strptime("May 16, 2020 1:00 PM", "%b %d, %Y %H:%M %p")) 
  OR (_time >= strptime("May 23, 2020 11:00 AM", "%b %d, %Y %H:%M %p") AND _time <= strptime("May 23, 2020 1:00 PM", "%b %d, %Y %H:%M %p"))
| timechart count by src
| sort - count
---
If this reply helps you, an upvote would be appreciated.

View solution in original post

0 Karma

richgalloway
SplunkTrust
SplunkTrust

You could use a series of append commands, but that's pretty much like running 3 searches.

Perhaps this will do what you want. It uses hard-coded dates since that is what you asked for. Run it with a time window starting early on 9 May 20.

index=foo "IP Address" OR "IP Address" OR "IP Address"
| where (_time >= strptime("May 9, 2020 11:00 AM", "%b %d, %Y %H:%M %p") AND _time <= strptime("May 9, 2020 1:00 PM", "%b %d, %Y %H:%M %p")) 
  OR (_time >= strptime("May 16, 2020 11:00 AM", "%b %d, %Y %H:%M %p") AND _time <= strptime("May 16, 2020 1:00 PM", "%b %d, %Y %H:%M %p")) 
  OR (_time >= strptime("May 23, 2020 11:00 AM", "%b %d, %Y %H:%M %p") AND _time <= strptime("May 23, 2020 1:00 PM", "%b %d, %Y %H:%M %p"))
| timechart count by src
| sort - count
---
If this reply helps you, an upvote would be appreciated.

View solution in original post

0 Karma

itsmevic
Communicator

As always, a big thank you, Rich!

0 Karma
Register for .conf21 Now! Go Vegas or Go Virtual!

How will you .conf21? You decide! Go in-person in Las Vegas, 10/18-10/21, or go online with .conf21 Virtual, 10/19-10/20.