Can the date_hour, date_minute and date_second fi...

krdo · ‎03-11-2015

When I run the following search using All time (real-time) no results are returned;

* AND (date_hour!=13 OR date_minute<50 OR date_minute>55)

Why is this? When I change the time range to 30 second window the expected results are returned. I wanted to create a real-time alert based on the search but it never triggers.

krdo · ‎03-11-2015

I found a workaround:

* | search (date_hour!=13 OR date_minute<50 OR date_minute>55)

But to be honest, I have no idea why this works...

markthompson · ‎03-11-2015

You say when you set it to a 30-sec window it works, but what window do you want to use?
Also, why are you searching for just *?

krdo · ‎03-11-2015

* will be replaced by the actual search parameters, I just wanted to make sure I get lots of events to check whether my time window filter works correctly. I started with all filters and found out that no results are returned as soon as I add the time window filter. The alert will be using a sliding 5 minute window with additional search parameters.

markthompson · ‎03-11-2015

It might be that you're getting too many results. Is this a table? Or is it a graph?

krdo · ‎03-11-2015

I just run the search above and use the events viewer. The 30 seconds window returns around ~70 results.

Can the date_hour, date_minute and date_second fields be used in realtime searches?

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!