Solved: Re: Search a particular time of day across multipl...

sambiggins · ‎09-25-2013

Hello,

I'm trying to map out usage by time of day:

Morning (6am-8am)
Day Off Peak (8am-6pm)
Prime Time (6pm-11pm)
Night Off Peak (11pm-6am)

I'd like to be able to count events in these time slots across multiple days (for example a count of events in the last week that occurred during the Morning time slot).

Looking at the earliest and latest command, I don't see a way to snap that on a moving basis. Something like earliest=@d+6h latest=@d+8h for last seven days. Is there another way?

Thanks in advance!

yannK · ‎09-25-2013

You can use an eval function (or an automatic calculated field) based on "date_hour" to identify the time of the day.

Then use it as a condition over several days.

example of number of events per day per timeofday.

* | eval timeofday=case(date_hour>=6 AND date_hour<8,"Morning", date_hour>=8 AND date_hour<18,"Day Off Peak", date_hour>=18 AND date_hour<23,"Prime Time", date_hour>=23 OR date_hour<6,"Night Off Peak", 1=1,"error") | timechart span=1d count by timeofday

View solution in original post

kristian_kolb · ‎09-25-2013

Have you looked at the date_* fields? They are automatically extracted for most types of log files, but not all. The timestamp in your event is used for determining the the time the event should be indexed under, but it is also broken down into the date_* fields, e.g. date_wday, date_mday, date_hour etc.

If you live in an area where a 12-hour time notation is used in the event timestamps, this is somewhat less useful, and you might be better off by manually extracting the relevant part out of the _time field (in the 24-hour notation).

...| eval hr = strftime(_time, "%H") 
| eval slot = "Night Off Peak" 
| eval slot = case((hr > 5 AND hr < 8), "Morning", (hr > 7 AND hr < 18), "Day Off Peak", (hr > 17 AND hr < 23), "Prime Time") 
| timechart span=1d count by slot

The first eval (hr) will get the hour (0-23) from the timestamp. The second eval will just set a default value for the slot field. The third eval will override the value of slot for specific values of hr.

Hope this helps,

Kristian

sambiggins · ‎09-25-2013

The answer above was the first I'd seem them. Quite handy! Thanks for chiming in 🙂

yannK · ‎09-25-2013

You can use an eval function (or an automatic calculated field) based on "date_hour" to identify the time of the day.

Then use it as a condition over several days.

example of number of events per day per timeofday.

* | eval timeofday=case(date_hour>=6 AND date_hour<8,"Morning", date_hour>=8 AND date_hour<18,"Day Off Peak", date_hour>=18 AND date_hour<23,"Prime Time", date_hour>=23 OR date_hour<6,"Night Off Peak", 1=1,"error") | timechart span=1d count by timeofday

yoshileigh66 · ‎11-07-2023

This is years later but I'm hoping someone will be able to answer and see this. What is the 1=1, "error" referring to? I understand that if 1=1, then that adds one to "error", but that's the extent of my understanding.

DBattisto · ‎09-19-2018

This is exactly what I was looking for. Thanks!

yannK · ‎09-25-2013

too slow little grasshopper 🙂

kristian_kolb · ‎09-25-2013

dammit!!

🙂

sambiggins · ‎09-25-2013

Perfect, thanks!

MayankChandra · ‎09-15-2021

Hi All, I need daily counts of events between 9PM (lets say yesterday) to 5 AM (today), this pattern i need for last 30 days. Could you please let me know what should be my search.

I am trying this but it returns nothing:

eventtype=eks_prd_logs sourcetype="kube:container:*crs-maint" earliest=-31@d latest=-1@d (date_hour > 21 AND date_hour < 5)

Can someone help asap.

Search a particular time of day across multiple days

Adoption of RUM and APM at Splunk

Routing logs with Splunk OTel Collector for Kubernetes

Welcome to the Splunk Community!