[analog-help] excluding a timespan in the middle of FROM, TO

[janet ward]

> You can only have one set of TO/FROM, and the FROM time has to be before the TO time.
> 
> If it was for more than a 6 minute window, you could try creating cache files for the 2 periods and combining them, but it seems that simply editing out the 6 minutes would be the simplest way to do what you're trying to do. 
> 
> Personally, I'd take a much closer look at the data in that 6 minute window. Turn on the Host report (HOST ON), and see if there's a single IP address generating the anomalous data. Then look for that address in the whole log (HOST INCLUDE w.x.y.z) and see if it only occurs in your 6 minute window. If it does, then exclude it (HOSTEXCLUDE w.x.y.z)

This is where I started from - the HOST report showed up *nothing* out 
of the ordinary - entries in the region of between 2 and 18 per HOST, 
which I why I wanted to exclude what looked like the time span that 
included the culprit/s.

In fact, while waiting for (understandable) advice, I have deleted two 
sections of entries from my raw log files [3800 lines from 11:46:01 to 
11:50:58, and 670 lines from 14:49:01 to 14:51:49]. This has made the 
resulting analog look much more reasonable.

JW