Splunk Search

How do I set the time range while running a search to find errors occurring between 08:00am and 06:00pm in a given region?

New Member

I am trying to find errors occurring between 08:00am and 06:00pm in a given region and plot the results over a month i.e the search should check for errors between 08:00am and 06:00pm EDT, 08:00am and 06:00pm BST and 08:00am and 06:00pm HKG.

Can someone please let me know how to achieve this?

Tags (3)
0 Karma

Influencer

Assuming your logs are being written with the appropriate local time zone and the event time is being extracted from the text of the events you might be able to use the date_hour field. E.g.

search-to-find-errors date_hour >= 8 date_hour < 18

While _time is normalized to be stored as UTC seconds these date_* fields do not have the same conversions applied (according to the doc at least). Now if your logs are not being written with a timestamp in the text of the event, or if your logs are written in UTC instead of the appropriate local time then this answer will not work.

0 Karma

SplunkTrust
SplunkTrust

If you want to be absolutely sure, couldn't you do this:

<your_search> | eval MyHour = strftime(_time, "%H") | eval  MyMinutes  = strftime(_time,"%M")| search ( tonumber(MyHour) >= 7 AND tonumber(MyHour) <=17 ) ........

This will use the UTC time, and apply timezone conversions.

0 Karma

New Member

Yes. I have used the date_hour field as below

(datehour >= 7 AND datehour <= 17) (dateminute >= 0 AND dateminute <= 59)

This gives me the desired output.So, I am checking between 7am and 5 pm.

0 Karma

Esteemed Legend

You are checking GMT, just so you know.

0 Karma

Influencer

@woodcock: Check the note in the doc that I linked in my answer again. date_* fields are the raw text from the event, with no timezone conversions applied (i.e. whatever is local time for each event). _time is UTC seconds. Therefore mishradb is checking local time for each event.

0 Karma