Are you a member of the Splunk Community?
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: How do you exclude certain days from a time ra...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
To exclude wednesday you would add 'date_wday!=wednesday' to your search.
Check this article out for more information about the internal date fields -
http://www.splunk.com/base/Documentation/4.1/User/UseDefaultAndInternalFields
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You could filter out events based on the _time field using a where search command. This is more difficult to setup that using date_wday, but it's very flexible.
The basic approach would be to preform your search, then grab the timerange of your searchs using the addinfo search command. Then use the where search to filter out the unwanted events in the middle of your search range.
For example, say you were searching over a 1 hour window, but want to remove the center 30 minutes (so remove events between 15 after to 45 minutes after), you could do a search like this:
<your search> earliest=-1h@h latest=@h | addinfo | where _time < (info_min_time+900) OR _time > (info_max_time-900)
Some additional thoughts:
Along with info_min_time, info_max_time which I used in this example, there is also info_search_time which could be used if you wanted to do some time operations relative to the system time when you run your search.
Note that you can also use _indextime here, if you wanted to look at when your events were actually indexed rather than when your events occurred; which is sometimes interesting to look at.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You could filter out events based on the _time field using a where search command. This is more difficult to setup that using date_wday, but it's very flexible.
The basic approach would be to preform your search, then grab the timerange of your searchs using the addinfo search command. Then use the where search to filter out the unwanted events in the middle of your search range.
For example, say you were searching over a 1 hour window, but want to remove the center 30 minutes (so remove events between 15 after to 45 minutes after), you could do a search like this:
<your search> earliest=-1h@h latest=@h | addinfo | where _time < (info_min_time+900) OR _time > (info_max_time-900)
Some additional thoughts:
Along with info_min_time, info_max_time which I used in this example, there is also info_search_time which could be used if you wanted to do some time operations relative to the system time when you run your search.
Note that you can also use _indextime here, if you wanted to look at when your events were actually indexed rather than when your events occurred; which is sometimes interesting to look at.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
To exclude wednesday you would add 'date_wday!=wednesday' to your search.
Check this article out for more information about the internal date fields -
http://www.splunk.com/base/Documentation/4.1/User/UseDefaultAndInternalFields
Take Action Automatically on Splunk Alerts with Red Hat Ansible Automation Platform
Calling All Security Pros: Ready to Race Through Boston?
Beyond Detection: How Splunk and Cisco Integrated Security Platforms Transform ...
