Reputation: 943
How to search a given time range for every day in Splunk?
I am trying to search for an event that happens in a specific time range in Splunk but I want that search to encompass all of the data I have indexed which covers a wide date range.
For example, I want to see if a line in an indexed log file contains the word 'Error' between the hours of 9am and 4pm from the 25 days worth of logs I have indexed. If the word 'Error' shows up outside of that time range, I don't want that displayed in my search results.
For date/time format I am using mm/dd/yyyy:hh:mm:ss
Any ideas how I might go about this?
Upvotes: 5
Views: 11081
Answers (2)
Reputation: 115
while the selected answer is great, it did not work in my case (splunk v6), however this did work (it was mainly adding the | eval date_hour... )
and my full working search (between hours of 6am to 11pm , for each of the prior 25 days):
index=mymts earliest=-25d | eval date_hour=strftime(_time, "%H") | search date_hour>=6 date_hour<=23 host="172.17.172.1" "/netmap/*"
hope this helps others.
Upvotes: 2
Reputation: 1059
You can try a search something like this:
index=foo earliest=-25d (date_hour > 9 and date_hour < 16) "Error"
Upvotes: 6
Related Questions
- Splunk - find new values that only appear after a certain date
- Splunk: Split a time period into hourly intervals
- splunk and how to do alerting on the first/last business day
- Splunk search by given timestamp not the time of ingestion to splunk
- Splunk Enterprise: Exclude certain time ranges for a bigger time range
- Splunk - Assigning custom time
- How to get splunk report for different time ranges
- How to schedule a search to run every 5 minutes in Splunk?
- Time based sliding window query in splunk
- Is there any way of searching just for a range of hours everyday for the last month?