Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Splunk search to exclude events from field value

iamsplunker0415
Engager
‎02-16-2024 11:43 AM

Hello Splunk Community, 

I have a requirement to exclude the events from field values between  2AM-3AM everyday.
For Example Field USA has 4 values
USA = Texas, California, Washington, New York

I want to exclude the events from Washington between 2AM-3AM .However, I want them in remaining time 23 hours period. Is there a search to achieve this? 

Labels (2)
Labels
Tags (3)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

PickleRick
SplunkTrust
SplunkTrust
‎02-16-2024 11:37 PM

As usual, I advise against using the default date_* fields.

Firstly, they don't have to be present in every event so if you get the habit of relying on them you might be unpleasantly surprised. Secondly, they correspond to the original value of the original timestamp so it might not be aligned to your timezone.

I'd go with

<base search>
| eval hour=strftime(_time,"%H")
| where NOT (hour>=2 AND hour<=3 AND in(USA,"Washington","New York",and so on))

 

View solution in original post

Reply
Solved! Jump to solution

scelikok
SplunkTrust
SplunkTrust
‎02-16-2024 11:52 AM

Hi @iamsplunker0415,

You can use "date_hour" field for filtering hours, please try below sample;

index=your_index USA="Washington" NOT date_hour IN (2,3)

 

If this reply helps you an upvote and "Accept as Solution" is appreciated.
0 Karma
Reply
Solved! Jump to solution
Solution

PickleRick
SplunkTrust
SplunkTrust
‎02-16-2024 11:37 PM

As usual, I advise against using the default date_* fields.

Firstly, they don't have to be present in every event so if you get the habit of relying on them you might be unpleasantly surprised. Secondly, they correspond to the original value of the original timestamp so it might not be aligned to your timezone.

I'd go with

<base search>
| eval hour=strftime(_time,"%H")
| where NOT (hour>=2 AND hour<=3 AND in(USA,"Washington","New York",and so on))

 

Reply
Solved! Jump to solution

iamsplunker0415
Engager
‎02-16-2024 01:30 PM

@scelikok Thank you. 

index=<myindex>
|search USA="Washington" NOT date_hour IN (2,3)
is not working it's only filtering washington not excluding events between 2-3
I also want the remanining values reported all the time.

 

0 Karma
Reply
Get Updates on the Splunk Community!

Index This | I’m short for "configuration file.” What am I?

May 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with a Special ...

New Articles from Academic Learning Partners, Help Expand Lantern’s Use Case Library, ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Your Guide to SPL2 at .conf24!

So, you’re headed to .conf24? You’re in for a good time. Las Vegas weather is just *chef’s kiss* beautiful in ...