Solved: How to create a 14 day search for specific time ra...

ashidhingra · ‎07-18-2022

How to create a 14 day search for specific time range (02:00 - 06:00) only?

bowesmana · ‎07-18-2022

You can either set up the search with multiple ranges in the search string, i.e.

index=... criteria=...
 ((earliest=@d+2h latest=@d+6h) OR 
  (earliest=-d@d+2h latest=-d@d+6h) OR 
  (earliest=-2d@d+2h latest=-2d@d+6h) OR 
  (earliest=-3d@d+2h latest=-3d@d+6h) OR 
  (earliest=-4d@d+2h latest=-4d@d+6h) OR 
  (earliest=-5d@d+2h latest=-5d@d+6h) OR 
  (earliest=-6d@d+2h latest=-6d@d+6h) OR 
  (earliest=-7d@d+2h latest=-7d@d+6h) OR 
  (earliest=-8d@d+2h latest=-8d@d+6h) OR 
  (earliest=-9d@d+2h latest=-9d@d+6h) OR 
  (earliest=-10d@d+2h latest=-10d@d+6h) OR 
  (earliest=-11d@d+2h latest=-11d@d+6h) OR 
  (earliest=-12d@d+2h latest=-12d@d+6h) OR 
  (earliest=-13d@d+2h latest=-13d@d+6h) OR 
  (earliest=-14d@d+2h latest=-14d@d+6h))
...

or you can search for 2 weeks of data and then filter the appropriate time ranges out you want.

View solution in original post

ashidhingra · ‎07-19-2022

Is there a way to only show the time of the query on the timechart

bowesmana · ‎07-19-2022

I don't believe you can remove the 6am-2am regions from the chart, but you might want to look at the timewrap command

https://docs.splunk.com/Documentation/Splunk/8.2.6/SearchReference/Timewrap

which would allow you to plot all points one the same chart 2am-6am of the current day and to show the other days in the same time slot, but as different data series.

gcusello · ‎07-19-2022

Hi @ashidhingra,

if you have the time_hour field, you could use a search like this:

index=your_index earliest=-14d@d latest=@d (time_hour>1 time_hour<7)
| ...

if you haven't this field, you have to extract it

index=your_index earliest=-14d@d latest=@d 
| eval time_hour=strftime(_time,"H")
| where (time_hour>1 AND time_hour<7)
| ...

Ciao.

Giuseppe

bowesmana · ‎07-18-2022

You can either set up the search with multiple ranges in the search string, i.e.

index=... criteria=...
 ((earliest=@d+2h latest=@d+6h) OR 
  (earliest=-d@d+2h latest=-d@d+6h) OR 
  (earliest=-2d@d+2h latest=-2d@d+6h) OR 
  (earliest=-3d@d+2h latest=-3d@d+6h) OR 
  (earliest=-4d@d+2h latest=-4d@d+6h) OR 
  (earliest=-5d@d+2h latest=-5d@d+6h) OR 
  (earliest=-6d@d+2h latest=-6d@d+6h) OR 
  (earliest=-7d@d+2h latest=-7d@d+6h) OR 
  (earliest=-8d@d+2h latest=-8d@d+6h) OR 
  (earliest=-9d@d+2h latest=-9d@d+6h) OR 
  (earliest=-10d@d+2h latest=-10d@d+6h) OR 
  (earliest=-11d@d+2h latest=-11d@d+6h) OR 
  (earliest=-12d@d+2h latest=-12d@d+6h) OR 
  (earliest=-13d@d+2h latest=-13d@d+6h) OR 
  (earliest=-14d@d+2h latest=-14d@d+6h))
...

or you can search for 2 weeks of data and then filter the appropriate time ranges out you want.

burwell · ‎07-18-2022

I think you would have to carefully craft a string of earliestTime >= and latestTime <= for all the four hour time slots over the past 14 days.

How to create a 14 day search for specific time range (02:00 - 06:00) only?

stats

table

timechart

transaction

tstats

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!