How to filter a search by a time field in hhmm for...

hmdoan · ‎04-15-2016

I need to calculate some MTTR numbers based on NOC work shifts. In particular these shifts:

First Front: Sun-Wed 0700-1630
First Back: Wed-Sat 0700-1630
Second Front: Sun-Wed 1200-2200
Second Back: Wed-Sat 1230-2200
Third Front: Sun-Wed 2030-0700
Third Back: Wed-Sat 2000-0700

So for the shifts that are in even hours like Sun-Wed 1200-2200, the search filter is pretty easy:

date_wday=sunday OR date_wday=monday OR date_wday=tuesday OR date_wday=wednesday date_hour >=12 AND date_hour <=22

However, when you add in the half hours, I don't have any clue how to filter something like Sun-Wed 0700-1630 in using the existing time fields available.

javiergn · ‎04-15-2016

What about?

First Front

(date_wday=sunday OR date_wday=monday OR date_wday=tuesday OR date_wday=wednesday) 
AND date_hour>=7 AND (date_hour<=16 OR (date_hour=16 AND date_minute<=30))

EDIT (if you are worried about the seconds):

(date_wday=sunday OR date_wday=monday OR date_wday=tuesday OR date_wday=wednesday) 
AND date_hour>=7 AND (date_hour<=16 OR (date_hour=16 AND date_minute<30))

Or

(date_wday=sunday OR date_wday=monday OR date_wday=tuesday OR date_wday=wednesday) 
AND date_hour>=7 AND (date_hour<=16 OR (date_hour=16 AND date_minute<=30 AND date_second= 0))

How to filter a search by a time field in hhmm format?

Join Us for Splunk University and Get Your Bootcamp Game On!

.conf24 | Learning Tracks for Security, Observability, Platform, and Developers!

Announcing Scheduled Export GA for Dashboard Studio