Hi
I have an extracted field from regex, ie Time_extract which gives hour. Now I want to get the logs between a period of time, ie time_extract>=10 AND time_extract<23
..how to go about that?
Current search:
Date_extract="10/29/16" | stats count by severity | where Time_extract>=12 AND Time_extract<23
You just need to do the where time_extract
BEFORE the stats
command. You could also combine the two filters, like this
... | where Date_extract="10/29/16" AND (Time_extract>=12 AND Time_extract<23) | stats count by severity
Can you have a look at the link provided here which explains both extraction of hour and searching on it or alternatively using date_hour (and what could be the consequences of it in @ppablo_splunk 's comments of the post):
https://answers.splunk.com/answers/469147/how-to-adjust-the-time-in-a-timechart.html#answer-469150
However what you should be looking at is something like below:
your Query that returns data
|eval myHour=strftime(_time, "%H")
| where myHour>=12 AND myHour<23
| stats count by severity
Does Splunk not automatically extract the field "date_hour" for you? If you look at your data in a search dashboard, do you see "date_hour" extracted if you run the search in "Verbose mode" (changed "Fast Mode" or "Smart Mode" under the time picker to "Verbose Mode).
If you do see "date_hour", you should be able to change your search to something like this (note, expressions in the base search use implicit AND logic):
<base_search> date_hour>=12 date_hour<23 | stats count by severity