Does something like this work for you :
Simple example , add your specific fields to the table command as you require.
... | eval hour_of_the_day=strftime(_time, "%H") | where hour_of_the_day >=17 or hour_of_the_day < 6 | table _time
This information has proved useful and I've been able to use it myself. A question though, is it possible to alter this eval command to allow for searching in half hour periods?
I'd like to do from 07:00-8:30 but using 8.5 will just round up to 9.
To access minutes in your search, you can add the following "| eval min_of_the_day=strftime(_time,"%M") " and search on "min_of_the_day" but there is an issue with my solution as if you're only searching for "min_of_the_day < 31", it will only look at the first half hour of EVERY hour, not just the last one. Unfortunately I'm not good at regex strings, so this is where I have to bow out.
Does something like this work for you :
Simple example , add your specific fields to the table command as you require.
... | eval hour_of_the_day=strftime(_time, "%H") | where hour_of_the_day >=17 or hour_of_the_day < 6 | table _time
Ended up using the following, for anyone interested. I just needed to put the carat in the CDATA string. Thanks guys!
This is great. I have been busting on this for quite some time. I was able to get it to work by using the format below. Thanks a bunch for the tip.
This provides a search between 8am and 10pm for the day or days selected.
ERRORCODE=001 | eval hour_of_the_day=strftime(_time,"%H") | where hour_of_the_day>07 | where hour_of_the_day<22
Try wrapping the entire search in a CDATA block :
Still not quite working. Ayn's response cleared the error, but it's not giving the results I would expect. Search line is as follows:
Thanks Ayn 🙂
When you're using "<" in a search command within an XML document, that tag character is interpreted as part of the XML data rather than as part of the search command. To specify that this tag is not referring to the XML structure, use the special escaping sequence <![CDATA[
and its corresponding end sequence ]]>
.
See this question and corresponding for more details: http://splunk-base.splunk.com/answers/30157/inputlookup-in-view-with-rex
Works in the search, but not forms. Unfortunately the less than comparator is being seen as part of an html tag in my form so I'm getting "Encountered the following error while trying to update: In handler 'views': Error parsing XML on line 47: StartTag: invalid element name" Any ideas?