I am trying to find errors occurring between 08:00am and 06:00pm in a given region and plot the results over a month i.e the search should check for errors between 08:00am and 06:00pm EDT, 08:00am and 06:00pm BST and 08:00am and 06:00pm HKG.
Can someone please let me know how to achieve this?
Assuming your logs are being written with the appropriate local time zone and the event time is being extracted from the text of the events you might be able to use the date_hour field. E.g.
search-to-find-errors date_hour >= 8 date_hour < 18
_time is normalized to be stored as UTC seconds these
date_* fields do not have the same conversions applied (according to the doc at least). Now if your logs are not being written with a timestamp in the text of the event, or if your logs are written in UTC instead of the appropriate local time then this answer will not work.
If you want to be absolutely sure, couldn't you do this:
<your_search> | eval MyHour = strftime(_time, "%H") | eval MyMinutes = strftime(_time,"%M")| search ( tonumber(MyHour) >= 7 AND tonumber(MyHour) <=17 ) ........
This will use the UTC time, and apply timezone conversions.
Yes. I have used the date_hour field as below
(datehour >= 7 AND datehour <= 17) (dateminute >= 0 AND dateminute <= 59)
This gives me the desired output.So, I am checking between 7am and 5 pm.
@woodcock: Check the note in the doc that I linked in my answer again.
date_* fields are the raw text from the event, with no timezone conversions applied (i.e. whatever is local time for each event).
_time is UTC seconds. Therefore mishradb is checking local time for each event.