Timewrap with specific time range

bmer · ‎01-28-2022

Hi,

Iam a newbie and have just started exploring the power of splunk. My below query works fine except that I need the output ONLY for a specific time period ie 2pm and 4pm with a span of 15m and not for entire day

index=xxxx pod=xxxx CASE(xxxxx) `logRecordType(xxxx)` logName="xxxxxx"
earliest=-3d@d latest=@d|timechart span=30m count|timewrap d

So basically my output only list me 4 rows with "2days_before","1day_before" and "latest_day".A

Thanks,

Bhaggs

bmer · ‎02-01-2022

Thanks @isoutamo I did go through that and understand the use but no where am able to restrict the timewrap to a selected period say LAST 15d between 2pm and 4pm having span=15m etc. It may be possible with some tweak but as I said am in learning process and would appreciate if someone can provide the full command.I will then do a self-learn from same

isoutamo · ‎02-01-2022

Here is an one way to do it

index=<YOUR INDEX> earliest=-15d@d
| eval hours=strftime(_time, "%H")
| where hours >= 14 AND hours<=16
| bin span=15m _time

r. Ismo

isoutamo · ‎01-28-2022

Hi

here https://docs.splunk.com/Documentation/Splunk/8.2.4/SearchReference/SearchTimeModifiers is how to use time modifiers on your search. You will find answer to your question there.

r. Ismo

Timewrap with specific time range

chart

count

stats

timechart

The Latest Cisco Integrations With Splunk Platform!

Enterprise Security Content Update (ESCU) | New Releases

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

Are you a member of the Splunk Community?

Timewrap with specific time range

chart

count

stats

timechart

The Latest Cisco Integrations With Splunk Platform!

Enterprise Security Content Update (ESCU) | New Releases

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!