Splunk Search

Specific Hour Search

Path Finder

Anyone know splunk's built-in time variables? For example, I'm trying to create a search based on events occuring after 5 PM and before 6 AM, but the "date_hour" or "day_hour" variables that I've seen in other posts don't seem to be working. Any ideas?

1 Solution

Ultra Champion

Does something like this work for you :

Simple example , add your specific fields to the table command as you require.

... | eval hour_of_the_day=strftime(_time, "%H") | where hour_of_the_day >=17 or hour_of_the_day < 6 | table _time

View solution in original post

Path Finder

This information has proved useful and I've been able to use it myself. A question though, is it possible to alter this eval command to allow for searching in half hour periods?

I'd like to do from 07:00-8:30 but using 8.5 will just round up to 9.

0 Karma

Path Finder

To access minutes in your search, you can add the following "| eval minoftheday=strftime(time,"%M") " and search on "minoftheday" but there is an issue with my solution as if you're only searching for "minoftheday < 31", it will only look at the first half hour of EVERY hour, not just the last one. Unfortunately I'm not good at regex strings, so this is where I have to bow out.

0 Karma

Ultra Champion

Does something like this work for you :

Simple example , add your specific fields to the table command as you require.

... | eval hour_of_the_day=strftime(_time, "%H") | where hour_of_the_day >=17 or hour_of_the_day < 6 | table _time

View solution in original post

Path Finder

Ended up using the following, for anyone interested. I just needed to put the carat in the CDATA string. Thanks guys!
(index=windows7 OR index=windows2008R2) source=wineventlog:security ProcessName="C:\Windows\System32\winlogon.exe" LogonGUID!="{00000000-0000-0000-0000-000000000000}" host=$Computer$ user=$User$ | eval houroftheday=strftime(time,"%H") | where (houroftheday >= 17 <![CDATA[or hourofthe_day < 6]]>) | timechart count by user

0 Karma

New Member

This is great. I have been busting on this for quite some time. I was able to get it to work by using the format below. Thanks a bunch for the tip.

This provides a search between 8am and 10pm for the day or days selected.
ERRORCODE=001 | eval houroftheday=strftime(time,"%H") | where houroftheday>07 | where houroftheday<22

0 Karma

Ultra Champion

Try wrapping the entire search in a CDATA block :

<![CDATA[ (index=windows7 OR index=windows2008R2) source=wineventlog:security ProcessName="C:\Windows\System32\winlogon.exe" LogonGUID!="{00000000-0000-0000-0000-000000000000}" | eval houroftheday=strftime(time,"%H") | where houroftheday >= 17 or hourofthe_day > 6 | timechart count by user ]]>

Path Finder

Still not quite working. Ayn's response cleared the error, but it's not giving the results I would expect. Search line is as follows:

(index=windows7 OR index=windows2008R2) source=wineventlog:security ProcessName="C:\Windows\System32\winlogon.exe" LogonGUID!="{00000000-0000-0000-0000-000000000000}" | eval houroftheday=strftime(time,"%H") | where (houroftheday >= 17 or hourofthe_day > <![CDATA[ 6) | timechart count by user]]>

0 Karma

Ultra Champion

Thanks Ayn 🙂

0 Karma

Legend

When you're using "<" in a search command within an XML document, that tag character is interpreted as part of the XML data rather than as part of the search command. To specify that this tag is not referring to the XML structure, use the special escaping sequence <![CDATA[ and its corresponding end sequence ]]>.

See this question and corresponding for more details: http://splunk-base.splunk.com/answers/30157/inputlookup-in-view-with-rex

Path Finder

Works in the search, but not forms. Unfortunately the less than comparator is being seen as part of an html tag in my form so I'm getting "Encountered the following error while trying to update: In handler 'views': Error parsing XML on line 47: StartTag: invalid element name" Any ideas?

0 Karma