Excluding Data Between times

Follow
Avatar
Jason Hornett

Hi, wondering if its possible to exclude data from a search between certain times

Example

_source=prod

| where statuscode > "400"

| timeslice 1s

| count statuscode, _timeslice

| formatdate(_timeslice, "HH:mm:ss") as Time

| where Time  NOT > "07:00:00" and < "15:00:00"

| fields -_timeslice

| order by Time asc

0

Comments

1 comment

Sort by Date Votes
  • Official comment
    Avatar
    Matt Sullivan

    prob best to split the Time into its parts, then you have an actual integer where compares work, e.g. 

    | split Time delim=':' extract 1 as hh, 2 as mm, 3 as ss
    | where hh > 15 and hh < 23

    hope this answer helps, even if not super timely (apologies)..

    Comment actions Permalink

Please sign in to leave a comment.

Didn't find what you were looking for?

New post