Splunk Search

How to search for a field value during a certain period of time using an extracted time field?

arunkuriakose
Explorer

Hi

I have an extracted field from regex, ie Time_extract which gives hour. Now I want to get the logs between a period of time, ie time_extract>=10 AND time_extract<23 ..how to go about that?

Current search:

Date_extract="10/29/16" | stats count by severity | where Time_extract>=12 AND Time_extract<23
0 Karma

sundareshr
Legend

You just need to do the where time_extract BEFORE the stats command. You could also combine the two filters, like this

... | where Date_extract="10/29/16" AND (Time_extract>=12 AND Time_extract<23) | stats count by severity

0 Karma

gokadroid
Motivator

Can you have a look at the link provided here which explains both extraction of hour and searching on it or alternatively using date_hour (and what could be the consequences of it in @ppablo_splunk 's comments of the post):

https://answers.splunk.com/answers/469147/how-to-adjust-the-time-in-a-timechart.html#answer-469150

However what you should be looking at is something like below:

your Query that returns data 
 |eval myHour=strftime(_time, "%H") 
 | where myHour>=12  AND myHour<23
 | stats count by severity
0 Karma

rjthibod
Champion

Does Splunk not automatically extract the field "date_hour" for you? If you look at your data in a search dashboard, do you see "date_hour" extracted if you run the search in "Verbose mode" (changed "Fast Mode" or "Smart Mode" under the time picker to "Verbose Mode).

If you do see "date_hour", you should be able to change your search to something like this (note, expressions in the base search use implicit AND logic):

<base_search> date_hour>=12 date_hour<23 | stats count by severity

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...