Re: Exclude events which occur during a specific h...

benjwarner · ‎11-18-2012

Hi there,
I have a query whereby I wish to return results over the previous week, but NOT within a specific couple of hours every day. At the moment it looks something like this:

source="*prod-*.log" earliest=-7d@w0 latest=@w7 | where NOT (date_hour>=9 AND date_hour<=11) | stats count by eventtype

However it is not excluding those events which fall between 9 and 11 each day.

If possible, I'd also like to know how to also specify the minutes in the query. e.g.

source="*prod-*.log" earliest=-7d@w0 latest=@w7 | where NOT (time>=9:58 AND time<=10:15) | stats count by eventtype

Please note, I've invented the "time" keyword above to demonstrate what I'm after.

Any help would be appreciated.
Cheers,
Ben

lukeh · ‎10-30-2014

Should be:
| where NOT ( (myHour >= 17 AND myMinute >= 00) OR (myHour < 19 AND myMinute <= 59) )

Luke 🙂

Damien_Dallimor · ‎11-18-2012

This example excludes events between 17:00pm(inclusive) and 19:00pm(exclusive). Substitute in the date params you want (not sure if your example in your question is AM or PM)

source="*prod-*.log" earliest=-7d@w0 latest=@w7 | eval myHour=strftime(_time, "%H") | eval myMinute=strftime(_time, "%M") | where NOT ( (myHour >= 17 AND myMinute >= 00) AND (myHour < 19 AND myMinute <= 59) )

Exclude events which occur during a specific hour each day

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

Troubleshooting the OpenTelemetry Collector

Adoption of Infrastructure Monitoring at Splunk