Splunk Search

How do you exclude certain days from a time range?

Marinus
Communicator

If you have a time range and certain days contain data you'd like to exclude can you drop the days from your search result?

Tags (2)
2 Solutions

netwrkr
Communicator

To exclude wednesday you would add 'date_wday!=wednesday' to your search.

Check this article out for more information about the internal date fields -

http://www.splunk.com/base/Documentation/4.1/User/UseDefaultAndInternalFields

View solution in original post

Lowell
Super Champion

You could filter out events based on the _time field using a where search command. This is more difficult to setup that using date_wday, but it's very flexible.

The basic approach would be to preform your search, then grab the timerange of your searchs using the addinfo search command. Then use the where search to filter out the unwanted events in the middle of your search range.

For example, say you were searching over a 1 hour window, but want to remove the center 30 minutes (so remove events between 15 after to 45 minutes after), you could do a search like this:

<your search> earliest=-1h@h latest=@h | addinfo | where _time < (info_min_time+900) OR _time > (info_max_time-900)

Some additional thoughts:

Along with info_min_time, info_max_time which I used in this example, there is also info_search_time which could be used if you wanted to do some time operations relative to the system time when you run your search.

Note that you can also use _indextime here, if you wanted to look at when your events were actually indexed rather than when your events occurred; which is sometimes interesting to look at.

View solution in original post

Lowell
Super Champion

You could filter out events based on the _time field using a where search command. This is more difficult to setup that using date_wday, but it's very flexible.

The basic approach would be to preform your search, then grab the timerange of your searchs using the addinfo search command. Then use the where search to filter out the unwanted events in the middle of your search range.

For example, say you were searching over a 1 hour window, but want to remove the center 30 minutes (so remove events between 15 after to 45 minutes after), you could do a search like this:

<your search> earliest=-1h@h latest=@h | addinfo | where _time < (info_min_time+900) OR _time > (info_max_time-900)

Some additional thoughts:

Along with info_min_time, info_max_time which I used in this example, there is also info_search_time which could be used if you wanted to do some time operations relative to the system time when you run your search.

Note that you can also use _indextime here, if you wanted to look at when your events were actually indexed rather than when your events occurred; which is sometimes interesting to look at.

netwrkr
Communicator

To exclude wednesday you would add 'date_wday!=wednesday' to your search.

Check this article out for more information about the internal date fields -

http://www.splunk.com/base/Documentation/4.1/User/UseDefaultAndInternalFields

Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...