Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How do I set the time range while running a search to find errors occurring between 08:00am and 06:00pm in a given region?

mishradb
New Member
‎06-16-2015 01:37 AM

I am trying to find errors occurring between 08:00am and 06:00pm in a given region and plot the results over a month i.e the search should check for errors between 08:00am and 06:00pm EDT, 08:00am and 06:00pm BST and 08:00am and 06:00pm HKG.

Can someone please let me know how to achieve this?

Tags (3)
0 Karma
Reply

acharlieh
Influencer
‎06-16-2015 06:11 AM

Assuming your logs are being written with the appropriate local time zone and the event time is being extracted from the text of the events you might be able to use the date_hour field. E.g.

search-to-find-errors date_hour >= 8 date_hour < 18

While _time is normalized to be stored as UTC seconds these date_* fields do not have the same conversions applied (according to the doc at least). Now if your logs are not being written with a timestamp in the text of the event, or if your logs are written in UTC instead of the appropriate local time then this answer will not work.

0 Karma
Reply

alacercogitatus
SplunkTrust
SplunkTrust
‎06-23-2015 06:27 AM

If you want to be absolutely sure, couldn't you do this:

<your_search> | eval MyHour = strftime(_time, "%H") | eval  MyMinutes  = strftime(_time,"%M")| search ( tonumber(MyHour) >= 7 AND tonumber(MyHour) <=17 ) ........

This will use the UTC time, and apply timezone conversions.

0 Karma
Reply

mishradb
New Member
‎06-16-2015 06:16 AM

Yes. I have used the date_hour field as below

(date_hour >= 7 AND date_hour <= 17) (date_minute >= 0 AND date_minute <= 59)

This gives me the desired output.So, I am checking between 7am and 5 pm.

0 Karma
Reply

woodcock
Esteemed Legend
‎06-20-2015 08:08 AM

You are checking GMT, just so you know.

0 Karma
Reply

acharlieh
Influencer
‎06-20-2015 08:21 AM

@woodcock: Check the note in the doc that I linked in my answer again. date_* fields are the raw text from the event, with no timezone conversions applied (i.e. whatever is local time for each event). _time is UTC seconds. Therefore mishradb is checking local time for each event.

0 Karma
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars this month. This ...

They're back! Join the SplunkTrust and MVP at .conf24

With our highly anticipated annual conference, .conf, comes the fez-wearers you can trust! The SplunkTrust, as ...

Enterprise Security Content Update (ESCU) | New Releases

Last month, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...