Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How could I look only at a defined time span in real-time-search?

Felix82
Explorer
‎07-12-2021 06:38 AM

Hi, 

 

I'm new in working with Splunk - I began to explore the program last monday...

I have the task to create a dashboard for visualizing the availibility of a machine. My working base: The machine data, additional  disorder reports by workers (implemented by tablets) and the knowledge about the working times (monday till friday, 5.30am till 10.30pm).

Now I want to use the daily data in timerange from 5.30am till 10.30pm because the availibility should only represents the disorder times in relation to real working time. How could I do that without a specified date?

 

Many Thanks and Greetings from Germany, 

Felix

0 Karma
Reply

Felix82
Explorer
‎07-12-2021 11:09 PM

Hi Michel,

 

thank you for sharing your experiences! It's so difficult and extensive to get an overview around all commands and functions... I will test your parameters then give you feedback.

 

Greetings, 

Felix

0 Karma
Reply

michel_wolf
Path Finder
‎07-12-2021 08:10 AM

Hi Felix,

you need to extract these requirements from your date field to filter it. You can perform your search for example like index=.... earliest=-7d@d latest=now to get all your data from the last 7 days.

Then you can add something like this

| eval day=strftime(_time,"%u")
| search day IN (1 2 3 4 5)

| eval timestampStart="05:30:00"
| eval timestampEnd="22:30:00"
| eval timestampDate = strftime(_time,"%H:%M:%S")

| where timestampDate >= timestampStart AND timestampDate <= timestampEnd

 

Michel

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Observability as Code: From Zero to Dashboard

For the details on what Self-Service Observability and Observability as Code is, we have some awesome content ...

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Shape the Future of Splunk: Join the Product Research Lab!

Join the Splunk Product Research Lab and connect with us in the Slack channel #product-research-lab to get ...