You must realize that "isn't working" conveys little meaning in the best of scenarios, much less to volunteers who have little knowledge about your particular application and data. What is "not working"? What do your raw data look like? What is the result you are expecting? You haven't even answered whether 3 to 4am means a one-hour interval (exclusive) or two-hour interval (inclusive). To give you an example of illustrating your raw data, let me present an emulation that results in the following dataset _time exception 2023-06-05 00:00:05 Ex6 2023-06-05 02:02:05 Ex6 2023-06-05 03:03:05 Ex1 2023-06-05 03:03:15 Ex2 2023-06-05 03:03:25 Ex4 2023-06-05 03:03:45 Ex3 2023-06-05 04:04:05 Ex2 2023-06-05 06:06:05 Ex6 2023-06-05 07:07:05 Ex3 2023-06-05 07:07:25 Ex1 2023-06-05 07:07:35 Ex5 2023-06-05 07:07:45 Ex6 2023-06-05 08:08:55 Ex6 2023-06-05 09:09:05 Ex6 2023-06-05 10:10:05 Ex6 Is this something that your original data look like? If not, can you illustrate in a way that volunteers can understand? Here is the code to generate the above set. You can play with it and compare with your real data: | makeresults
| eval _raw = "time,exception
2023-06-05 00:00:05,Ex6
2023-06-05 02:02:05,Ex6
2023-06-05 03:03:05,Ex1
2023-06-05 03:03:15,Ex2
2023-06-05 03:03:25,Ex4
2023-06-05 03:03:45,Ex3
2023-06-05 04:04:05,Ex2
2023-06-05 06:06:05,Ex6
2023-06-05 07:07:05,Ex3
2023-06-05 07:07:25,Ex1
2023-06-05 07:07:35,Ex5
2023-06-05 07:07:45,Ex6
2023-06-05 08:08:55,Ex6
2023-06-05 09:09:05,Ex6
2023-06-05 10:10:05,Ex6"
| multikv forceheader=1
| eval _time = strptime(time, "%F %H:%M:%S")
| fields - _raw linecount time
``` data emulation above ``` With this data set and the first code with the assumption of 3 to 4am inclusive, 7 to 8am inclusive (i.e., two-hour intervals), | eval hour = strftime(_time, "%H")
| eval interval = case(hour > 2 AND hour < 5, "3_4", hour > 6 AND hour < 9, "7_8")
| stats values(exception) as exception by interval
| stats values(interval) as interval by exception
| where mvcount(interval) == 1 AND interval == "7_8"
| stats values(exception) as new_exception_7_8 gives exactly new_exception_7_8 Ex5 Ex6 How is this "not working?" To use 3 to 4am | 7 to 8am exclusive (i.e., one-hour intervals) as assumption, and my second code, | eval hour = strftime(_time, "%H")
| where hour IN ("03", "07")
| stats values(exception) as exception by hour
| stats values(hour) as hour by exception
| where mvcount(hour) == 1 AND hour == "07"
| stats values(exception) as new_exception_7 (the above is slightly modified to pad hour with a leading 0), I also get new_exception_7 Ex5 Ex6 which also meets your requirement. Can you explain what "isn't working" here?
... View more