How to search a given time range for every day in Splunk?

Question

I am trying to search for an event that happens in a specific time range in Splunk but I want that search to encompass all of the data I have indexed which covers a wide date range.

For example, I want to see if a line in an indexed log file contains the word 'Error' between the hours of 9am and 4pm from the 25 days worth of logs I have indexed. If the word 'Error' shows up outside of that time range, I don't want that displayed in my search results.

For date/time format I am using mm/dd/yyyy:hh:mm:ss

Any ideas how I might go about this?

score 5 · Accepted Answer · answered Jun 17 '15 at 04:57

5

You can try a search something like this:

index=foo earliest=-25d (date_hour > 9 and date_hour < 16) "Error"

answered Jun 17 '15 at 04:57

Shakeel

1,039
7
20

1

Thanks! This is just was I was looking for. – Marek Jun 30 '15 at 17:59

score 0 · Answer 2 · answered Jul 14 '20 at 16:47

while the selected answer is great, it did not work in my case (splunk v6), however this did work (it was mainly adding the | eval date_hour... )

and my full working search (between hours of 6am to 11pm , for each of the prior 25 days):

index=mymts earliest=-25d | eval date_hour=strftime(_time, "%H") | search date_hour>=6 date_hour<=23 host="172.17.172.1" "/netmap/*"

hope this helps others.

How to search a given time range for every day in Splunk?

2 Answers2