Splunk Search

How to filter a search by a time field in hhmm format?

hmdoan
Explorer

I need to calculate some MTTR numbers based on NOC work shifts. In particular these shifts:

First Front: Sun-Wed 0700-1630
First Back: Wed-Sat 0700-1630
Second Front: Sun-Wed 1200-2200
Second Back: Wed-Sat 1230-2200
Third Front: Sun-Wed 2030-0700
Third Back: Wed-Sat 2000-0700

So for the shifts that are in even hours like Sun-Wed 1200-2200, the search filter is pretty easy:

date_wday=sunday OR date_wday=monday OR date_wday=tuesday OR date_wday=wednesday date_hour >=12 AND date_hour <=22

However, when you add in the half hours, I don't have any clue how to filter something like Sun-Wed 0700-1630 in using the existing time fields available.

Tags (3)
0 Karma

javiergn
SplunkTrust
SplunkTrust

What about?

First Front

(date_wday=sunday OR date_wday=monday OR date_wday=tuesday OR date_wday=wednesday) 
AND date_hour>=7 AND (date_hour<=16 OR (date_hour=16 AND date_minute<=30))

EDIT (if you are worried about the seconds):

(date_wday=sunday OR date_wday=monday OR date_wday=tuesday OR date_wday=wednesday) 
AND date_hour>=7 AND (date_hour<=16 OR (date_hour=16 AND date_minute<30))

Or

(date_wday=sunday OR date_wday=monday OR date_wday=tuesday OR date_wday=wednesday) 
AND date_hour>=7 AND (date_hour<=16 OR (date_hour=16 AND date_minute<=30 AND date_second= 0))
0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...