Solved: Re: timechart only business hours

peter_gianusso · ‎03-14-2016

I would like to timechart only events that happened between 9 AM and 5 PM...any help would be appreciated

somesoni2 · ‎03-14-2016

Try something like this

If date_hour is available in your data

your search  date_hour>=9 AND date_hour<17 | your timechart command

If date_hour is not present,

your search | eval date_hour=strftime(_time,"%H") | where  date_hour>=9 AND date_hour<17 | your timechart command

View solution in original post

jkat54 · ‎03-14-2016

Hi,

You need a where clause using date_hour, and then you'll probably want to increase the bins, or use the bucket command to help show time periods when there isnt data:

 index=_internal | where date_hour>=9 AND date_hour<=17 | timechart count bins=1000

peter_gianusso · ‎03-14-2016

thank you!!

somesoni2 · ‎03-14-2016

Try something like this

If date_hour is available in your data

your search  date_hour>=9 AND date_hour<17 | your timechart command

If date_hour is not present,

your search | eval date_hour=strftime(_time,"%H") | where  date_hour>=9 AND date_hour<17 | your timechart command

jkat54 · ‎03-14-2016

if i hadnt taken the screenshot... ;-P, you beat me to it by 25s!

peter_gianusso · ‎03-14-2016

thank you!!

timechart only business hours

Developer Spotlight with Paul Stout

State of Splunk Careers 2024: Maximizing Career Outcomes and the Continued Value of ...

Data-Driven Success: Splunk & Financial Services