I have a timechart which displays the results for the past 7 days. But now i don't want the Splunk to display the results for 24 hours of the each day in last 7 days. Instead of that, I just want to display the timechart from evening 7'o clock to morning 7'o clock for the last 7 days.
Is this scenario possible in Splunk? If yes, how can we do that?
Can you try this please:
your Query that returns data of last seven days
|eval myHour=strftime(_time, "%H")
| where myHour>=19 OR myHour<7
| complete your query to draw the timechart
OR adding per suggestion below:
your Query that returns data of last seven days
| where date_hour>=19 OR date_hour<7
| complete your query to draw the timechart
Can you try this please:
your Query that returns data of last seven days
|eval myHour=strftime(_time, "%H")
| where myHour>=19 OR myHour<7
| complete your query to draw the timechart
OR adding per suggestion below:
your Query that returns data of last seven days
| where date_hour>=19 OR date_hour<7
| complete your query to draw the timechart
You could also just use the date_hour field in splunk, that is already extracted, instead of creating the myHour field.
thanks @Iquinn Let me update that in the query as per suggestions. Awesome stuff.
It might be good to read up on some cautionary advice by search gurus @lguinn and @sideview on this post:
https://answers.splunk.com/answers/387130/why-is-date-hour-inconsistent-with-h.html#answer-387134
ok, so sounds like extracting the %H using strftime is the way to go as suggested in the read and as was in the initial answer. Thanks @ppablo_splunk