Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to search for a field value during a certain period of time using an extracted time field?

arunkuriakose
Explorer
‎10-30-2016 07:58 AM

Hi

I have an extracted field from regex, ie Time_extract which gives hour. Now I want to get the logs between a period of time, ie time_extract>=10 AND time_extract<23 ..how to go about that?

Current search:

Date_extract="10/29/16" | stats count by severity | where Time_extract>=12 AND Time_extract<23
0 Karma
Reply

sundareshr
Legend
‎10-30-2016 04:21 PM

You just need to do the where time_extract BEFORE the stats command. You could also combine the two filters, like this

... | where Date_extract="10/29/16" AND (Time_extract>=12 AND Time_extract<23) | stats count by severity

0 Karma
Reply

gokadroid
Motivator
‎10-30-2016 02:17 PM

Can you have a look at the link provided here which explains both extraction of hour and searching on it or alternatively using date_hour (and what could be the consequences of it in @ppablo_splunk 's comments of the post):

https://answers.splunk.com/answers/469147/how-to-adjust-the-time-in-a-timechart.html#answer-469150

However what you should be looking at is something like below:

your Query that returns data 
 |eval myHour=strftime(_time, "%H") 
 | where myHour>=12  AND myHour<23
 | stats count by severity
0 Karma
Reply

rjthibod
Champion
‎10-30-2016 01:23 PM

Does Splunk not automatically extract the field "date_hour" for you? If you look at your data in a search dashboard, do you see "date_hour" extracted if you run the search in "Verbose mode" (changed "Fast Mode" or "Smart Mode" under the time picker to "Verbose Mode).

If you do see "date_hour", you should be able to change your search to something like this (note, expressions in the base search use implicit AND logic):

<base_search> date_hour>=12 date_hour<23 | stats count by severity

0 Karma
Reply
Get Updates on the Splunk Community!

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer at Splunk .conf24 ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...

Splunk Lantern is Splunk’s customer success center that provides advice from Splunk experts on valuable data ...

Combine Multiline Logs into a Single Event with SOCK: a Step-by-Step Guide for ...

Combine multiline logs into a single event with SOCK - a step-by-step guide for newbies Olga Malita The ...