I see how I can use absolute time ranges to filter my searches but what I'm trying to do is get back results for say all events that occur between 1:00AM to 2:00AM every day not just between some custom start and end times.
Is this possible? And if so, can you provide some example search filters?
Thanks!
Please don't post updates to your question as answers, that way it looks like your question is already answered.
Splunk automatically creates a number of date_*
fields for most sources, including date_hour
. You can use this field to filter the results in the way you want.
date_hour>=1 AND date_hour<=2
I found in another thread I could do the following if you want to filter for interesting traffic that tends to occur in the first 10 minutes of any hour.
sourcetype="udp:514" host="x.x.x.x" * keywords AND date_minute < 10
I wonder if a RegEx would work.