Splunk Search

Specific Hour Search

jsb22
Path Finder

Anyone know splunk's built-in time variables? For example, I'm trying to create a search based on events occuring after 5 PM and before 6 AM, but the "date_hour" or "day_hour" variables that I've seen in other posts don't seem to be working. Any ideas?

1 Solution

Damien_Dallimor
Ultra Champion

Does something like this work for you :

Simple example , add your specific fields to the table command as you require.

... | eval hour_of_the_day=strftime(_time, "%H") | where hour_of_the_day >=17 or hour_of_the_day < 6 | table _time

View solution in original post

srw46
Path Finder

This information has proved useful and I've been able to use it myself. A question though, is it possible to alter this eval command to allow for searching in half hour periods?

I'd like to do from 07:00-8:30 but using 8.5 will just round up to 9.

0 Karma

jsb22
Path Finder

To access minutes in your search, you can add the following "| eval min_of_the_day=strftime(_time,"%M") " and search on "min_of_the_day" but there is an issue with my solution as if you're only searching for "min_of_the_day < 31", it will only look at the first half hour of EVERY hour, not just the last one. Unfortunately I'm not good at regex strings, so this is where I have to bow out.

0 Karma

Damien_Dallimor
Ultra Champion

Does something like this work for you :

Simple example , add your specific fields to the table command as you require.

... | eval hour_of_the_day=strftime(_time, "%H") | where hour_of_the_day >=17 or hour_of_the_day < 6 | table _time

jsb22
Path Finder

Ended up using the following, for anyone interested. I just needed to put the carat in the CDATA string. Thanks guys!
(index=windows_7 OR index=windows_2008_R2) source=wineventlog:security Process_Name="C:\Windows\System32\winlogon.exe" Logon_GUID!="{00000000-0000-0000-0000-000000000000}" host=$Computer$ user=$User$ | eval hour_of_the_day=strftime(_time,"%H") | where (hour_of_the_day >= 17 <![CDATA[or hour_of_the_day < 6]]>) | timechart count by user

0 Karma

mark_groenveld
Path Finder

This is great. I have been busting on this for quite some time. I was able to get it to work by using the format below. Thanks a bunch for the tip.

This provides a search between 8am and 10pm for the day or days selected.
ERRORCODE=001 | eval hour_of_the_day=strftime(_time,"%H") | where hour_of_the_day>07 | where hour_of_the_day<22

0 Karma

Damien_Dallimor
Ultra Champion

Try wrapping the entire search in a CDATA block :

<![CDATA[ (index=windows_7 OR index=windows_2008_R2) source=wineventlog:security Process_Name="C:\Windows\System32\winlogon.exe" Logon_GUID!="{00000000-0000-0000-0000-000000000000}" | eval hour_of_the_day=strftime(_time,"%H") | where hour_of_the_day >= 17 or hour_of_the_day > 6 | timechart count by user ]]>

jsb22
Path Finder

Still not quite working. Ayn's response cleared the error, but it's not giving the results I would expect. Search line is as follows:

(index=windows_7 OR index=windows_2008_R2) source=wineventlog:security Process_Name="C:\Windows\System32\winlogon.exe" Logon_GUID!="{00000000-0000-0000-0000-000000000000}" | eval hour_of_the_day=strftime(_time,"%H") | where (hour_of_the_day >= 17 or hour_of_the_day > <![CDATA[ 6) | timechart count by user]]>

0 Karma

Damien_Dallimor
Ultra Champion

Thanks Ayn 🙂

0 Karma

Ayn
Legend

When you're using "<" in a search command within an XML document, that tag character is interpreted as part of the XML data rather than as part of the search command. To specify that this tag is not referring to the XML structure, use the special escaping sequence <![CDATA[ and its corresponding end sequence ]]>.

See this question and corresponding for more details: http://splunk-base.splunk.com/answers/30157/inputlookup-in-view-with-rex

jsb22
Path Finder

Works in the search, but not forms. Unfortunately the less than comparator is being seen as part of an html tag in my form so I'm getting "Encountered the following error while trying to update: In handler 'views': Error parsing XML on line 47: StartTag: invalid element name" Any ideas?

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...