2

I am in need of knowing if there is a possibility to exclude certain time ranges within a given time period? I have a formula for my search and then I have chosen the datepicker, but would like to know if I can filter out specific time ranges within what I already have chosen?

Or is the only way out to make multiple searches from the datepicker menu?

Thanks a lot

Erfan Tavoosi
  • 389
  • 5
  • 16

1 Answers1

3

The way to filter time the way you're describing is by putting it directly in your SPL instead of using the time picker using earliest and latest

For example:

index=ndx sourcetype=srctp ((earliest=-24d latest=-20d) OR (earliest=-10d latest=-6d)
| <rest of SPL>
warren
  • 32,620
  • 21
  • 85
  • 124