Assuming you are using a reporting command such as stats and timechart and pass _time after. You can do something as easy as this. You are using the strftime function to explicitly extract out the day and hour value from epoch time then filtering down with where on the day and hour | eval startdate_time=strptime(startdate,"%Y-%m-%d %H:%M:%S") | eval enddate_time=strptime(enddate,"%Y-%m-%d %H:%M:%S") | eval date_time=strptime(date,"%Y-%m-%d %H:%M:%S") | eval date_hour=strftime(startdate_time, "%H") | eval date_day=strftime(startdate_time, "%a") | eval date_hour=strftime(enddate_time, "%H") | eval date_day=strftime(enddate_time, "%a") | eval date_day=strftime(date_time, "%a") | eval date_hour=strftime(date_time, "%H") | eval alert=if((date_day >= 10 AND date_hour >= 12) AND (date_day <28 date AND date_hour >10),1,0) | where alert=1
... View more