Splunk Enterprise
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How do I filter search based on date and hour range?

Sunil2020
Explorer
‎07-28-2020 02:36 PM

Hello Splunkers,

 

I am trying to achieve below in my search.

I have two tables/sources where dates stores are of different format.

Source A has two fields with below format.

startdate -  2020-07-15 09:30:35

enddate -   2020-07-15 11:30:40

Source B

date - 2020-07-15 00:00:00

hour - 10

From Source A I have to extract date and hour separately. For Example, from startdate field , I have to extract date as 2020-07-15 and hour as 09 and from field enddate, date as 2020-07-15 and hour as 12

Using above I am trying to filter events from Source B as below.
...main search

| eval startdate=strptime(startdate, “%Y-%m-%d”), enddate=strptime(enddate,”%Y-%m-%d”), date=strptime (date, “%Y-%m-%d”)

| where (startdate >= date AND starthour >= hour) AND (enddatew<= date AND endhour <= hour)

Above search does not return any events.

Your help is highly appreciated.

Labels (1)
Labels
Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

isoutamo
SplunkTrust
SplunkTrust
‎07-28-2020 03:21 PM

Hi

You could try this:

index=_internal
| head 1
| eval _raw="startdate,enddate,date,hour
2020-07-15 09:30:35,2020-07-15 11:30:40,2020-07-15 00:00:00,10"
| multikv forceheader=1
| rename COMMENT as "Previous generate sample data"
| eval sd = strptime(startdate, "%F %T")
| eval ed = strptime(enddate, "%F %T")
| eval da = strptime(date, "%F %T") 
| eval daho = da + 60*60 * hour
| where (sd <= daho) AND (daho <= ed)

 

When you are changed between string and epoch you must use the whole format. I am using %F %T which is shortcut for %Y-%m-%d %H:%M:%S. 

Then just add hours to date for comparing the dates.

r. Ismo

View solution in original post

Reply
Solved! Jump to solution

skoelpin
SplunkTrust
SplunkTrust
‎07-28-2020 05:31 PM

Assuming you are using a reporting command such as stats and timechart and pass _time after. You can do something as easy as this. You are using the strftime function to explicitly extract out the day and hour value from epoch time then filtering down with where on the day and hour

 

| eval startdate_time=strptime(startdate,"%Y-%m-%d %H:%M:%S")

| eval enddate_time=strptime(enddate,"%Y-%m-%d %H:%M:%S")

| eval date_time=strptime(date,"%Y-%m-%d %H:%M:%S")

| eval date_hour=strftime(startdate_time, "%H")

| eval date_day=strftime(startdate_time, "%a")

| eval date_hour=strftime(enddate_time, "%H")

| eval date_day=strftime(enddate_time, "%a")

| eval date_day=strftime(date_time, "%a")

| eval date_hour=strftime(date_time, "%H")

| eval alert=if((date_day >= 10 AND date_hour >= 12) AND (date_day <28 date AND date_hour >10),1,0)

| where alert=1

Reply
Solved! Jump to solution

Sunil2020
Explorer
‎07-29-2020 02:19 AM

Hello @skoelpin 

I was trying to list the events between date and hour range in Source B where date range and hour range was extracted from Source A.

Idea was to show the relevant events in table.

Thanks for your inputs.

0 Karma
Reply
Solved! Jump to solution
Solution

isoutamo
SplunkTrust
SplunkTrust
‎07-28-2020 03:21 PM

Hi

You could try this:

index=_internal
| head 1
| eval _raw="startdate,enddate,date,hour
2020-07-15 09:30:35,2020-07-15 11:30:40,2020-07-15 00:00:00,10"
| multikv forceheader=1
| rename COMMENT as "Previous generate sample data"
| eval sd = strptime(startdate, "%F %T")
| eval ed = strptime(enddate, "%F %T")
| eval da = strptime(date, "%F %T") 
| eval daho = da + 60*60 * hour
| where (sd <= daho) AND (daho <= ed)

 

When you are changed between string and epoch you must use the whole format. I am using %F %T which is shortcut for %Y-%m-%d %H:%M:%S. 

Then just add hours to date for comparing the dates.

r. Ismo

Reply
Solved! Jump to solution

Sunil2020
Explorer
‎07-29-2020 02:17 AM

Awesome, this worked.

Thanks a ton @isoutamo 

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Enterprise Security(ES) 7.3 is approaching the end of support. Get ready for ...

Hi friends!    At Splunk, your product success is our top priority. With Enterprise Security (ES), we're here ...

Splunk Enterprise Security 8.x: The Essential Upgrade for Threat Detection, ...

Watch On Demand the Tech Talk, and empower your SOC to reach new heights! Duration: 1 hour  Prepare to ...

Splunk Observability for AI

Don’t miss out on an exciting Tech Talk on Splunk Observability for AI!Discover how Splunk’s agentic AI ...