Hi There,
Currently I'm using Splunk 4.3.
Need help on how to write a query to specify a timeframe so that i get data for every day 12AM to 6 AM for the last 6 months.
Hi karambaz,
try something like this:
your base search earliest=-6mon date_hour<=06
this will return all events between 12AM and 6AM, this is because 12AM is searchable as date_hour=00 within Splunk.
12AM
date_hour=00
hope this helps ...
cheers, MuS
