Dashboards & Visualizations
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How can we identify events based on timestamp ?

ravicheepa87
Explorer
‎03-30-2020 06:47 AM

I am indexing a file 3 times a day in splunk. Timings are around 8:30 am , 1:30 pm and 5:15 pm these are not fixed timings as job generating the file is dependent on predecessor jobs and every day timings may vary a little bit.
Each time same job runs and produce data that i want to use to create a report but i want create a seperate report for all three runs.

For example i want to make dashboard for 8:30 am run so events of 1:30 and 5:15 pm should not appear in the searchs for this dashboard. So i have to identify my events based on a timestamp range.

Can someone help me out how can i identify events based on timestamps they indexed ?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎03-30-2020 07:49 AM

Use relative time ranges. earliest = @d+8h latest = @d+10h for the first report, earliest = @d+13h latest = @d+14h for the second and earliest = @d+17h latest = @d@19h for the last.

---
If this reply helps you, Karma would be appreciated.

View solution in original post

Reply
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎03-30-2020 07:49 AM

Use relative time ranges. earliest = @d+8h latest = @d+10h for the first report, earliest = @d+13h latest = @d+14h for the second and earliest = @d+17h latest = @d@19h for the last.

---
If this reply helps you, Karma would be appreciated.
Reply
Solved! Jump to solution

ravicheepa87
Explorer
‎03-31-2020 11:27 PM

Hi @richgalloway thanks for the suggestion but this will give me only today's time range. But i want events between 8am to 10 am over a range of 30 days. When i try earliest =-30d@d+8h Latest = @d+10h it gives me all event from 30th day 8am in past to 10 am today but i want events from between 8-10 am for each day in past 30 days.

0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎04-01-2020 05:46 AM

This would have been good to know originally.
All you can do is set the time picker for 30 days and use where to include events in the desired time range.

... | eval hour = strptime ( strftime (_time, "%H"), "%H")
| where (hour >= 8 AND hour < 10) OR (hour >= 13 AND hour < 15) OR (hour >= 17 AND hour < 19)
---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Solved! Jump to solution

ravicheepa87
Explorer
‎04-01-2020 10:31 PM

Hi Rich,

Thanks it's working now but it's wroking with below code:
eval hour=strftime(_time,"%H") | where (hour >= 7 AND hour < 10) . I am getting hour as spaces if i use strptime function as mentioned by you.

0 Karma
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars this month. This ...

They're back! Join the SplunkTrust and MVP at .conf24

With our highly anticipated annual conference, .conf, comes the fez-wearers you can trust! The SplunkTrust, as ...

Enterprise Security Content Update (ESCU) | New Releases

Last month, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...