Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How do I set the time range while running a search to find errors occurring between 08:00am and 06:00pm in a given region?

mishradb
New Member
‎06-16-2015 01:37 AM

I am trying to find errors occurring between 08:00am and 06:00pm in a given region and plot the results over a month i.e the search should check for errors between 08:00am and 06:00pm EDT, 08:00am and 06:00pm BST and 08:00am and 06:00pm HKG.

Can someone please let me know how to achieve this?

Tags (3)
0 Karma
Reply

acharlieh
Influencer
‎06-16-2015 06:11 AM

Assuming your logs are being written with the appropriate local time zone and the event time is being extracted from the text of the events you might be able to use the date_hour field. E.g.

search-to-find-errors date_hour >= 8 date_hour < 18

While _time is normalized to be stored as UTC seconds these date_* fields do not have the same conversions applied (according to the doc at least). Now if your logs are not being written with a timestamp in the text of the event, or if your logs are written in UTC instead of the appropriate local time then this answer will not work.

0 Karma
Reply

alacercogitatus
SplunkTrust
SplunkTrust
‎06-23-2015 06:27 AM

If you want to be absolutely sure, couldn't you do this:

<your_search> | eval MyHour = strftime(_time, "%H") | eval  MyMinutes  = strftime(_time,"%M")| search ( tonumber(MyHour) >= 7 AND tonumber(MyHour) <=17 ) ........

This will use the UTC time, and apply timezone conversions.

0 Karma
Reply

mishradb
New Member
‎06-16-2015 06:16 AM

Yes. I have used the date_hour field as below

(date_hour >= 7 AND date_hour <= 17) (date_minute >= 0 AND date_minute <= 59)

This gives me the desired output.So, I am checking between 7am and 5 pm.

0 Karma
Reply

woodcock
Esteemed Legend
‎06-20-2015 08:08 AM

You are checking GMT, just so you know.

0 Karma
Reply

acharlieh
Influencer
‎06-20-2015 08:21 AM

@woodcock: Check the note in the doc that I linked in my answer again. date_* fields are the raw text from the event, with no timezone conversions applied (i.e. whatever is local time for each event). _time is UTC seconds. Therefore mishradb is checking local time for each event.

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...