How could I look only at a defined time span in re...

Felix82 · ‎07-12-2021

Hi,

I'm new in working with Splunk - I began to explore the program last monday...

I have the task to create a dashboard for visualizing the availibility of a machine. My working base: The machine data, additional disorder reports by workers (implemented by tablets) and the knowledge about the working times (monday till friday, 5.30am till 10.30pm).

Now I want to use the daily data in timerange from 5.30am till 10.30pm because the availibility should only represents the disorder times in relation to real working time. How could I do that without a specified date?

Many Thanks and Greetings from Germany,

Felix

Felix82 · ‎07-12-2021

Hi Michel,

thank you for sharing your experiences! It's so difficult and extensive to get an overview around all commands and functions... I will test your parameters then give you feedback.

Greetings,

Felix

michel_wolf · ‎07-12-2021

Hi Felix,

you need to extract these requirements from your date field to filter it. You can perform your search for example like index=.... earliest=-7d@d latest=now to get all your data from the last 7 days.

Then you can add something like this

| eval day=strftime(_time,"%u")
| search day IN (1 2 3 4 5)

| eval timestampStart="05:30:00"
| eval timestampEnd="22:30:00"
| eval timestampDate = strftime(_time,"%H:%M:%S")

| where timestampDate >= timestampStart AND timestampDate <= timestampEnd

Michel

How could I look only at a defined time span in real-time-search?

other

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor