SPL - Creating a list using two time stamp entries

jacobmcn67 · ‎04-18-2021

Hi all,

I am trying to create a fourth column which would display all values between a given time range in the single cell. For the screenshot provided this would mean a cell in the fourth column containing:
10:00

11:00

12:00

I am not sure how to do this without using a loop.

Thanks

Jacob

manjunathmeti · ‎04-18-2021

hi @jacobmcn67,

You can use mvrange function which creates a multivalue field with a range of numbers between X and Y, incrementing by Z.

| makeresults 
| eval start="11:00", end="14:00"
| eval st="04/19/2021 ".start, et="04/19/2021 ".end 
| eval st=strptime(st, "%m/%d/%Y %H:%M"), et=strptime(et, "%m/%d/%Y %H:%M")
| eval mv=mvrange(st,et,"1h"), mv=strftime(mv, "%H:%M")
| table start, end, mv

Here 04/19/2021 is some date used just to convert start and end to the epoch values. It is a constant and you don't need to change it.

If this reply helps you, a like would be appreciated.

SPL - Creating a list using two time stamp entries

table

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Automating Threat Operations and Threat Hunting with Recorded Future

Join the Conversation

SPL - Creating a list using two time stamp entries

table

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Automating Threat Operations and Threat Hunting with Recorded Future