Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

exclude time range in splunk query

kirrusk
Communicator
‎02-01-2022 05:59 AM

Hi,

 

I'm trying to exclude events from the time range.

 

 

index = _internal 
| eval Hour=strftime(_time,"%H")
| eval Minute=strftime(_time,"%M")
| eval DayofWeek=strftime(_time,"%w")
| eval Month=strftime(_time,"%m")
| eval WeekOfYear=strftime(_time,"%U")
| search NOT DayofWeek=3 AND Hour>10 Hour<13

 


from the above query trying to exclude Wednesday and in between 10 to 13, but it excludes all the day.
Can anyone have suggestions?

Have one more scenario,

need to exclude Monday and Wednesday particular hours.

Labels (8)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎02-01-2022 07:53 AM

Hi @kirrusk,

what do you mean with "results with two days events (timestamps)." date_wday it's the same extraction than "| eval DayofWeek=strftime(_time,"%w")".

Anyway, yu can use your field evals and use my filter:

index = _internal 
| eval Hour=strftime(_time,"%H")
| eval Minute=strftime(_time,"%M")
| eval DayofWeek=strftime(_time,"%A")
| eval Month=strftime(_time,"%m")
| eval WeekOfYear=strftime(_time,"%U")
| search NOT DayofWeek="Wednsday" AND (Hour>=10 Hour<=13)

is this the real condition you want?

  • exclude Wednsday and take hours between 10 and 13 (with 10 and 13)

Ciao.

Giuseppe

View solution in original post

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎02-01-2022 06:15 AM

Hi @kirrusk,

at first, probably, you don't need to use eval to have hour, minute, etc..., you should have date_hour, date_minute, etc...

Anyway, to exclude Wednesday and days of the mont between 10 and 13 (comprehensive of 10 and 13), you could use something like this:

index = _internal date_wday|="Wednesday " (date_mday<10 AND date_mday>13)
| ...

Ciao.

Giuseppe

 

0 Karma
Reply
Solved! Jump to solution

kirrusk
Communicator
‎02-01-2022 07:13 AM

@gcusello  date_wday not working properly, it's giving results with two days events (timestamps). So I'm using eval to take from _time

0 Karma
Reply
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎02-01-2022 07:53 AM

Hi @kirrusk,

what do you mean with "results with two days events (timestamps)." date_wday it's the same extraction than "| eval DayofWeek=strftime(_time,"%w")".

Anyway, yu can use your field evals and use my filter:

index = _internal 
| eval Hour=strftime(_time,"%H")
| eval Minute=strftime(_time,"%M")
| eval DayofWeek=strftime(_time,"%A")
| eval Month=strftime(_time,"%m")
| eval WeekOfYear=strftime(_time,"%U")
| search NOT DayofWeek="Wednsday" AND (Hour>=10 Hour<=13)

is this the real condition you want?

  • exclude Wednsday and take hours between 10 and 13 (with 10 and 13)

Ciao.

Giuseppe

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎02-07-2022 11:53 PM

Hi @kirrusk,

Hi good for you, see next time.

Ciao and happy splunking.

Giuseppe

P.S.: Karma Points are appreciated 😉

Reply
Get Updates on the Splunk Community!

Building Reliable Asset and Identity Frameworks in Splunk ES

 Accurate asset and identity resolution is the backbone of security operations. Without it, alerts are ...

Cloud Monitoring Console - Unlocking Greater Visibility in SVC Usage Reporting

For Splunk Cloud customers, understanding and optimizing Splunk Virtual Compute (SVC) usage and resource ...

Automatic Discovery Part 3: Practical Use Cases

If you’ve enabled Automatic Discovery in your install of the Splunk Distribution of the OpenTelemetry ...