Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to compare only the time but not the date.

dl70
Loves-to-Learn
‎01-07-2021 05:23 PM

Hi!,

So my search query looks up an Excel Spreadsheet with a column called Time, that is populated with a time e.g. 10:00 AM (no date included) However, when I lookup this field in the splunk query, I notice that the Time Field is now associated with today's date. E.g 08-01-2021 10:00. 

This is an issue as I am trying to see if the event(time without the date) has occurred between two specific date and time ranges. 

I.e trying to see if an event with a time 10:00AM has occurred between 02-01-2021 and 03-01-2021. As splunk associates the time with today's date, the event is not being picked up as it is linked to today's date and thus not within the date range.

Any ideas?

Thanks in advance

Labels (2)
Labels
0 Karma
Reply

bowesmana
SplunkTrust
SplunkTrust
‎01-07-2021 07:02 PM

Is this value from the raw data now the Splunk _time field or some other field?

When you talk about 'lookup' are you using this excel spreadsheet as a CSV lookup within a query, or have you ingested that data from excel to an index?

If it's into an index and it is stored in the _time field then that is what Splunk has decided is your event time. Unless that ingested data has the real date that is to apply to that time, then there is no way it can get the correct date.

If it's another field, what does that raw field look like in the Excel data that you have ingested to the index?

 

0 Karma
Reply

dl70
Loves-to-Learn
‎01-07-2021 07:10 PM

Hi,

I am using an excel spreadsheet as CSV lookup within the query and thus the _time field is empty.  The value is from the spreadsheet which in Splunk includes today's date. The issue I am facing is that as I am trying to see if the time is within a specified range e.g. does the event at 10:00AM everyday occur between 2nd Jan and 3rd Jan. The event should be displaying as yes it does occur between that time range, but as Splunk adds today's date to the time, it does not fit within the specified date range.

I am wondering if there is a way to remove the date part of the value, so that I am able to only compare the time.

Thanks in advance

Tags (1)
0 Karma
Reply

bowesmana
SplunkTrust
SplunkTrust
‎01-07-2021 07:38 PM

Maybe you can post some of your query and an example of the raw data in your CSV lookup that contains the 10:00 AM time field. Splunk will not add anything extra from a lookup command to data that comes from that lookup result.

If the time field in Splunk has a date in it from a

| lookup your_excel_file.csv field

then the CSV also has the date part of that data

that would be easy enough to remove, e.g.

| rex field=Time mode=sed "s/.*(\d\d:\d\d [AP]M)/\1/"

 

 

0 Karma
Reply
Get Updates on the Splunk Community!

SOC4Kafka - New Kafka Connector Powered by OpenTelemetry

The new SOC4Kafka connector, built on OpenTelemetry, enables the collection of Kafka messages and forwards ...

Your Voice Matters! Help Us Shape the New Splunk Lantern Experience

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Building Momentum: Splunk Developer Program at .conf25

At Splunk, developers are at the heart of innovation. That’s why this year at .conf25, we officially launched ...