Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to narrow down data with time?

Chris231289
Loves-to-Learn Lots
‎02-06-2023 01:11 PM

Hello, 

i am looking to narrow down my search field, i only want to search for events that happen outside of  a specific time range. I want to search for events that happen outside of 0800 to 1700

Any help would be appriceated 

Kind regards 

Labels (1)
Labels
0 Karma
Reply

yeahnah
Motivator
‎02-06-2023 02:02 PM

Hi @Chris231289 

It's useful for these types of queries to understand where the events to be filtered come from and how they look.  It also may depend on where you need to filter the data, has it been transformed into a summary already.  These things can make a difference to how you would filter out events. 

If this is standard search query then by default Splunk creates a data_hour field (from the _time field) so something like this would work...

...your base query search query...
| where ((date_hour < 8 OR (date_hour >= 17))

Maybe provide a sample of you data or your current search query if this does not work for you. 
 
Hope this helps.

0 Karma
Reply

Chris231289
Loves-to-Learn Lots
‎02-06-2023 02:19 PM

thank you but when i put in | where((date_hour < 8 OR (date_hour >= 17))  i get the error Error in 'where' command: The expression is malformed. Expected ).

0 Karma
Reply

yeahnah
Motivator
‎02-06-2023 02:44 PM

Looks like i missed the closing parenthesis after the 8.  Try...
 
| where  ((date_hour < 8 ) OR (date_hour >= 17))

0 Karma
Reply
Get Updates on the Splunk Community!

Combine Multiline Logs into a Single Event with SOCK - a Guide for Advanced Users

This article is the continuation of the “Combine multiline logs into a single event with SOCK - a step-by-step ...

Everything Community at .conf24!

You may have seen mention of the .conf Community Zone 'round these parts and found yourself wondering what ...

Index This | I’m short for "configuration file.” What am I?

May 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with a Special ...