Re: How to search for a field value during a certa...

arunkuriakose · ‎10-30-2016

Hi

I have an extracted field from regex, ie Time_extract which gives hour. Now I want to get the logs between a period of time, ie time_extract>=10 AND time_extract<23 ..how to go about that?

Current search:

Date_extract="10/29/16" | stats count by severity | where Time_extract>=12 AND Time_extract<23

sundareshr · ‎10-30-2016

You just need to do the where time_extract BEFORE the stats command. You could also combine the two filters, like this

... | where Date_extract="10/29/16" AND (Time_extract>=12 AND Time_extract<23) | stats count by severity

gokadroid · ‎10-30-2016

Can you have a look at the link provided here which explains both extraction of hour and searching on it or alternatively using date_hour (and what could be the consequences of it in @ppablo_splunk 's comments of the post):

https://answers.splunk.com/answers/469147/how-to-adjust-the-time-in-a-timechart.html#answer-469150

However what you should be looking at is something like below:

your Query that returns data 
 |eval myHour=strftime(_time, "%H") 
 | where myHour>=12  AND myHour<23
 | stats count by severity

rjthibod · ‎10-30-2016

Does Splunk not automatically extract the field "date_hour" for you? If you look at your data in a search dashboard, do you see "date_hour" extracted if you run the search in "Verbose mode" (changed "Fast Mode" or "Smart Mode" under the time picker to "Verbose Mode).

If you do see "date_hour", you should be able to change your search to something like this (note, expressions in the base search use implicit AND logic):

<base_search> date_hour>=12 date_hour<23 | stats count by severity

How to search for a field value during a certain period of time using an extracted time field?

Observability Newsletter Highlights | March 2023

Security Newsletter Updates | March 2023

Platform Newsletter Highlights | March 2023