Is it possible to run a search that will only include all the events for that day after a certain time? (using the time range picker to select the date only, so the time will be selected using the search query)
For example I am wanting the search to pick events after 8am for the day selected by the time range picker,
If your events have the date_hour field (and it's reliable) then you can use it to filter events.
... | where date_hour >= 20 | ...If you don't have that field then you can make your own.
... | eval date_hour = strftime(_time, "%H")
| where date_hour >= 20
Hi @jboustead ,
"using the time range picker to select the date only, so the time will be selected using the search query"
if your events got hour value as a separate field, then, with "where" command, it may be possible.
BUT that's a long and difficult route.
The earliest and latest offers all possible combinations of time/date we can ever imagine.
This example searches an index for the last 24 hours but omits any events returned from Midnight to 1:00 A.M., when downtime returns false log entries.
index=myindex ((earliest=-24h latest<@d) OR (earliest>=@d+1h))
This search specifies two time ranges:
https://docs.splunk.com/Documentation/SplunkCloud/8.1.2009/Search/Specifytimemodifiersinyoursearch