Filtering by 24h time in splunk

priyangshupal · ‎09-15-2021

I have a field timeofevent which contains the time at which the event was logged in 24 hour format.

Format of timeofevent: HH:MM

I want only the events which were logged between 18:30 to 08:30 CST.

ITWhisperer · ‎09-15-2021

Try this

| where timeofevent>="18:30" OR timeofevent<="08:30"

priyangshupal · ‎09-15-2021

Shouldn't it be?

| where timeofevent>="18:30" AND timeofevent<="08:30"

ITWhisperer · ‎09-15-2021

Only if you want no results!

Splunk works on a pipeline of event, each event is processed separately, so an event cannot be both >18:30 and <08:30 at the same time

priyangshupal · ‎09-15-2021

By using

| where timeofevent>="18:30" OR timeofevent<="08:30"

it is returning all the events, even the ones which are outside of that timeframe

ITWhisperer · ‎09-15-2021

You probably need to convert the string to a number e.g. "18:30" becomes 1830 and "08:30" becomes 830

| eval timeofevent=tonumber(replace(timeofevent,":",""),10)
| where timeofevent>=1830 OR timeofevent<=830