Re: _time is different than timestamp in events, s...

brandonbachman · ‎07-03-2019

I have events that with timestamp fields that look like this:

date="6/21/2019 6:50:49 PM"

How do I change my search so that only events during business hours appear? I only want events with timestamps between 6am and 6pm.

I have tried the following:

eval date_hour=strftime(_time, "%w") | search date_hour>=6 date_hour<=18

But the _time field is listed is this

6/21/19
10:51:09.000 AM

As you can see the _time field is about 8 hours earlier than the timestamp in my event and when I search using the _time field, my results are off by 8 hours.

Is there a way to search using the timestamps in my events rather than the _time field? Or can I adjust the _time field to increase by 8 hours so the hours match?

richgalloway · ‎07-03-2019

The time picker only considers _time. You can, however, search for other time fields. Here's one way, but I'm sure there are others.

index=foo | eval ts=strptime(date,"%m/%d/%Y %H:%M:%S %p") 
| eval start=relative_time(ts,"@d+6h"), end=relative_time(ts,"@d+18h")
| search ts>=start AND ts<end

---
If this reply helps you, Karma would be appreciated.

_time is different than timestamp in events, searching by business hours

Enterprise Security Content Update (ESCU) | New Releases

Announcing the 1st Round Champion’s Tribute Winners of the Great Resilience Quest

We’ve Got Education Validation!