Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Exclude events which occur during a specific hour each day

benjwarner
Explorer
‎11-18-2012 08:34 PM

Hi there,
I have a query whereby I wish to return results over the previous week, but NOT within a specific couple of hours every day. At the moment it looks something like this:

source="*prod-*.log" earliest=-7d@w0 latest=@w7 | where NOT (date_hour>=9 AND date_hour<=11) | stats count by eventtype

However it is not excluding those events which fall between 9 and 11 each day.

If possible, I'd also like to know how to also specify the minutes in the query. e.g. 

source="*prod-*.log" earliest=-7d@w0 latest=@w7 | where NOT (time>=9:58 AND time<=10:15) | stats count by eventtype

Please note, I've invented the "time" keyword above to demonstrate what I'm after.

Any help would be appreciated.
Cheers,
Ben

Tags (2)
Reply

lukeh
Contributor
‎10-30-2014 09:25 PM

Should be:
| where NOT ( (myHour >= 17 AND myMinute >= 00) OR (myHour < 19 AND myMinute <= 59) )

Luke 🙂

0 Karma
Reply

Damien_Dallimor
Ultra Champion
‎11-18-2012 10:51 PM

This example excludes events between 17:00pm(inclusive) and 19:00pm(exclusive). Substitute in the date params you want (not sure if your example in your question is AM or PM)

source="*prod-*.log" earliest=-7d@w0 latest=@w7 | eval myHour=strftime(_time, "%H") | eval myMinute=strftime(_time, "%M") | where NOT ( (myHour >= 17 AND myMinute >= 00) AND (myHour < 19 AND myMinute <= 59) )
0 Karma
Reply
Get Updates on the Splunk Community!

Prove Your Splunk Prowess at .conf25—No Prereqs Required!

Your Next Big Security Credential: No Prerequisites Needed We know you’ve got the skills, and now, earning the ...

Splunk Observability Cloud's AI Assistant in Action Series: Observability as Code

This is the sixth post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how to ...

Splunk Answers Content Calendar, July Edition I

Hello Community! Welcome to another month of Community Content Calendar series! For the month of July, we will ...