Solved: Can you help me find the access time range between...

vpurushottam · ‎02-27-2019

Hello guys,

I am trying to search/formulate a method to determine the range of time (hours) in a day for which the resource was accessed. To clarify it, I have given an example below because, as of now, I don't have any query to paste here. I am still searching for a way to do that.

what I have:

2019-01-01 15:40:55 "Record X accessed"
2019-01-01 15:50:38 "Record Z accessed"
2019-01-01 16:08:40 "Record Y accessed"
2019-01-01 16:48:29 "Record xx accessed"
2019-01-02 13:43:29 "Record xx accessed"
2019-01-02 13:48:29 "Record xx accessed"
2019-01-02 16:08:43 "Record xx accessed"
2019-01-02 17:48:29 "Record xx accessed"
2019-01-03 6:48:29 "Record xx accessed"
2019-01-03 7:35:57 "Record xx accessed"
2019-01-03 8:45:29 "Record xx accessed"
2019-01-03 10:35:29 "Record xx accessed"

What I want:

2019-01-01 3PM - 5PM
2019-01-02 1PM - 6PM
2019-01-03  6AM - 11AM

I don't need the 3 field here as that has been taken care of, and if you need to know what the 3 field is, it is actually a 10 digit long records number.

Please help me with any idea, links, or resources that i can look into.

Thank you in advance.

chrisyounger · ‎02-27-2019

You can do something like this:

| eval date = strftime(_time, "%Y-%m-%d") 
| stats latest(_time) as end earliest(_time) as start by date 
| eval end = strftime(end, "%I:%M %p")
| eval start= strftime(start, "%I:%M %p") 
| table date start end

All the best

View solution in original post

chrisyounger · ‎02-27-2019

You can do something like this:

| eval date = strftime(_time, "%Y-%m-%d") 
| stats latest(_time) as end earliest(_time) as start by date 
| eval end = strftime(end, "%I:%M %p")
| eval start= strftime(start, "%I:%M %p") 
| table date start end

All the best

Can you help me find the access time range between hours on a single day?

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!