I am currently trying to set up a splunk search query in a dashboard that checks a specific time interval. The job I am trying to set it up with runs three times a day. Once at 6am, once at 12:20pm, and once at 16:20(4:20pm). Currently the query just searches for the latest time and sets the background as to whether it received an error or not, but the users wanted the three times it runs per day to be displayed seperately so now I need to set up an interval of time for each of the three panels to display and I have tried a lot of things with no luck(I am new to splunk so I have been just randomly trying different syntax).
I have tried using a search command |search Time>6:00:00 Time<7:00:00 and also tried using other commands that happen before the stats command that gets the latest time with no luck and I'm just stuck at this point and have no clue what to try.
I have my index at the top here but don't think its necessary to show.
| rex field=_raw ".+EVENT:\s(?\S+)\s.+STATUS:\s(?\S+)\s.+JOB:\s(?\S+)"
| stats latest(_time) as Time by status
| eval Time=strftime(Time, "%H:%M:%S") stats Time>6:00:00 Time<7:00:00
| sort 1 - Time
| table Time status
| append [| makeresults | eval Time="06:10:00"]
| eval range = case(status="FAILURE", "severe", status="SUCCESS", "low", 1==1, "guarded")
| head 1
