Splunk Search

How to filter a search by a time field in hhmm format?

hmdoan
Explorer

I need to calculate some MTTR numbers based on NOC work shifts. In particular these shifts:

First Front: Sun-Wed 0700-1630
First Back: Wed-Sat 0700-1630
Second Front: Sun-Wed 1200-2200
Second Back: Wed-Sat 1230-2200
Third Front: Sun-Wed 2030-0700
Third Back: Wed-Sat 2000-0700

So for the shifts that are in even hours like Sun-Wed 1200-2200, the search filter is pretty easy:

date_wday=sunday OR date_wday=monday OR date_wday=tuesday OR date_wday=wednesday date_hour >=12 AND date_hour <=22

However, when you add in the half hours, I don't have any clue how to filter something like Sun-Wed 0700-1630 in using the existing time fields available.

Tags (3)
0 Karma

javiergn
Super Champion

What about?

First Front

(date_wday=sunday OR date_wday=monday OR date_wday=tuesday OR date_wday=wednesday) 
AND date_hour>=7 AND (date_hour<=16 OR (date_hour=16 AND date_minute<=30))

EDIT (if you are worried about the seconds):

(date_wday=sunday OR date_wday=monday OR date_wday=tuesday OR date_wday=wednesday) 
AND date_hour>=7 AND (date_hour<=16 OR (date_hour=16 AND date_minute<30))

Or

(date_wday=sunday OR date_wday=monday OR date_wday=tuesday OR date_wday=wednesday) 
AND date_hour>=7 AND (date_hour<=16 OR (date_hour=16 AND date_minute<=30 AND date_second= 0))
0 Karma
Get Updates on the Splunk Community!

See just what you’ve been missing | Observability tracks at Splunk University

Looking to sharpen your observability skills so you can better understand how to collect and analyze data from ...

Weezer at .conf25? Say it ain’t so!

Hello Splunkers, The countdown to .conf25 is on-and we've just turned up the volume! We're thrilled to ...

How SC4S Makes Suricata Logs Ingestion Simple

Network security monitoring has become increasingly critical for organizations of all sizes. Splunk has ...