I wanted to search for full day except one hour from 6.30am to 7.30am. I am not able to do it. Can anyone help me in this.
There's no foolproof way of putting this as an initial filter in your search that I know of, however you could create fields and then filter on those:
<yourbasesearch> | eval hourandminute=strftime(_time,"%H").strftime(_time,"%M") | search NOT (hourandminute>=630 AND hourandminute<=730)
There's no foolproof way of putting this as an initial filter in your search that I know of, however you could create fields and then filter on those:
<yourbasesearch> | eval hourandminute=strftime(_time,"%H").strftime(_time,"%M") | search NOT (hourandminute>=630 AND hourandminute<=730)
Thanks Ayn.