Splunk Search
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

exclude time range in splunk query

kirrusk
Communicator
‎02-01-2022 05:59 AM

Hi,

 

I'm trying to exclude events from the time range.

 

 

index = _internal 
| eval Hour=strftime(_time,"%H")
| eval Minute=strftime(_time,"%M")
| eval DayofWeek=strftime(_time,"%w")
| eval Month=strftime(_time,"%m")
| eval WeekOfYear=strftime(_time,"%U")
| search NOT DayofWeek=3 AND Hour>10 Hour<13

 


from the above query trying to exclude Wednesday and in between 10 to 13, but it excludes all the day.
Can anyone have suggestions?

Have one more scenario,

need to exclude Monday and Wednesday particular hours.

Labels (8)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎02-01-2022 07:53 AM

Hi @kirrusk,

what do you mean with "results with two days events (timestamps)." date_wday it's the same extraction than "| eval DayofWeek=strftime(_time,"%w")".

Anyway, yu can use your field evals and use my filter:

index = _internal 
| eval Hour=strftime(_time,"%H")
| eval Minute=strftime(_time,"%M")
| eval DayofWeek=strftime(_time,"%A")
| eval Month=strftime(_time,"%m")
| eval WeekOfYear=strftime(_time,"%U")
| search NOT DayofWeek="Wednsday" AND (Hour>=10 Hour<=13)

is this the real condition you want?

  • exclude Wednsday and take hours between 10 and 13 (with 10 and 13)

Ciao.

Giuseppe

View solution in original post

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎02-01-2022 06:15 AM

Hi @kirrusk,

at first, probably, you don't need to use eval to have hour, minute, etc..., you should have date_hour, date_minute, etc...

Anyway, to exclude Wednesday and days of the mont between 10 and 13 (comprehensive of 10 and 13), you could use something like this:

index = _internal date_wday|="Wednesday " (date_mday<10 AND date_mday>13)
| ...

Ciao.

Giuseppe

 

0 Karma
Reply
Solved! Jump to solution

kirrusk
Communicator
‎02-01-2022 07:13 AM

@gcusello  date_wday not working properly, it's giving results with two days events (timestamps). So I'm using eval to take from _time

0 Karma
Reply
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎02-01-2022 07:53 AM

Hi @kirrusk,

what do you mean with "results with two days events (timestamps)." date_wday it's the same extraction than "| eval DayofWeek=strftime(_time,"%w")".

Anyway, yu can use your field evals and use my filter:

index = _internal 
| eval Hour=strftime(_time,"%H")
| eval Minute=strftime(_time,"%M")
| eval DayofWeek=strftime(_time,"%A")
| eval Month=strftime(_time,"%m")
| eval WeekOfYear=strftime(_time,"%U")
| search NOT DayofWeek="Wednsday" AND (Hour>=10 Hour<=13)

is this the real condition you want?

  • exclude Wednsday and take hours between 10 and 13 (with 10 and 13)

Ciao.

Giuseppe

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎02-07-2022 11:53 PM

Hi @kirrusk,

Hi good for you, see next time.

Ciao and happy splunking.

Giuseppe

P.S.: Karma Points are appreciated 😉

Reply
Get Updates on the Splunk Community!

Fueling your curiosity with new Splunk ILT and eLearning courses

At Splunk Education, we’re driven by curiosity—both ours and yours! That’s why we’re committed to delivering ...

Splunk AI Assistant for SPL 1.1.0 | Now Personalized to Your Environment for Greater ...

Splunk AI Assistant for SPL has transformed how users interact with Splunk, making it easier than ever to ...

Unleash Unified Security and Observability with Splunk Cloud Platform

     Now Available on Microsoft AzureOn Demand Now Step boldly into the AI revolution with enhanced security ...
Top