Splunk Search

How to search for a field value during a certain period of time using an extracted time field?



I have an extracted field from regex, ie Time_extract which gives hour. Now I want to get the logs between a period of time, ie time_extract>=10 AND time_extract<23 ..how to go about that?

Current search:

Date_extract="10/29/16" | stats count by severity | where Time_extract>=12 AND Time_extract<23
0 Karma


You just need to do the where time_extract BEFORE the stats command. You could also combine the two filters, like this

... | where Date_extract="10/29/16" AND (Time_extract>=12 AND Time_extract<23) | stats count by severity

0 Karma


Can you have a look at the link provided here which explains both extraction of hour and searching on it or alternatively using date_hour (and what could be the consequences of it in @ppablo_splunk 's comments of the post):


However what you should be looking at is something like below:

your Query that returns data 
 |eval myHour=strftime(_time, "%H") 
 | where myHour>=12  AND myHour<23
 | stats count by severity
0 Karma


Does Splunk not automatically extract the field "date_hour" for you? If you look at your data in a search dashboard, do you see "date_hour" extracted if you run the search in "Verbose mode" (changed "Fast Mode" or "Smart Mode" under the time picker to "Verbose Mode).

If you do see "date_hour", you should be able to change your search to something like this (note, expressions in the base search use implicit AND logic):

<base_search> date_hour>=12 date_hour<23 | stats count by severity

0 Karma
Get Updates on the Splunk Community!

Using Machine Learning for Hunting Security Threats

WATCH NOW Seeing the exponential hike in global cyber threat spectrum, organizations are now striving more for ...

Observability Newsletter Highlights | March 2023

 March 2023 | Check out the latest and greatestSplunk APM's New Tag Filter ExperienceSplunk APM has updated ...

Security Newsletter Updates | March 2023

 March 2023 | Check out the latest and greatestUnify Your Security Operations with Splunk Mission Control The ...