Hi splunk, I had a search of
sourcetype="ltaTraffic" Type="Accident" tag=expressway earliest=-30d | transaction locationaccident maxspan=1s | bucket span=1h _time | dedup locationaccident| fields onexpressway, locationaccident, current_area | eval date=strftime(_time, "%m/%d/%Y %H:%M:%S") | chart count(locationaccident) as Accidents by date | sort -Accidents | head 25 | sort date
How can I define the time from 6am to 6pm of 1 week ? I know starttime and endtime but it won't work as I am collecting data all the way.