Splunk Search

How to search for a field value during a certain period of time using an extracted time field?



I have an extracted field from regex, ie Time_extract which gives hour. Now I want to get the logs between a period of time, ie time_extract>=10 AND time_extract<23 ..how to go about that?

Current search:

Date_extract="10/29/16" | stats count by severity | where Time_extract>=12 AND Time_extract<23
0 Karma


You just need to do the where time_extract BEFORE the stats command. You could also combine the two filters, like this

... | where Date_extract="10/29/16" AND (Time_extract>=12 AND Time_extract<23) | stats count by severity

0 Karma


Can you have a look at the link provided here which explains both extraction of hour and searching on it or alternatively using date_hour (and what could be the consequences of it in @ppablo_splunk 's comments of the post):


However what you should be looking at is something like below:

your Query that returns data 
 |eval myHour=strftime(_time, "%H") 
 | where myHour>=12  AND myHour<23
 | stats count by severity
0 Karma


Does Splunk not automatically extract the field "date_hour" for you? If you look at your data in a search dashboard, do you see "date_hour" extracted if you run the search in "Verbose mode" (changed "Fast Mode" or "Smart Mode" under the time picker to "Verbose Mode).

If you do see "date_hour", you should be able to change your search to something like this (note, expressions in the base search use implicit AND logic):

<base_search> date_hour>=12 date_hour<23 | stats count by severity

0 Karma
Get Updates on the Splunk Community!

The Splunk Success Framework: Your Guide to Successful Splunk Implementations

Splunk Lantern is a customer success center that provides advice from Splunk experts on valuable data ...

Splunk Training for All: Meet Aspiring Cybersecurity Analyst, Marc Alicea

Splunk Education believes in the value of training and certification in today’s rapidly-changing data-driven ...

Investigate Security and Threat Detection with VirusTotal and Splunk Integration

As security threats and their complexities surge, security analysts deal with increased challenges and ...