I have a search that tracks VPN logins for known/unknown users that works fine. I am trying to filter for only logins during a specific time which for me is 11pm to 5am for whatever specified date range I give (prior day, week, month, or specific date to date). The current search I am using gives me all logins over the specific date range I choose. I am trying to come up with a search for instance for VPN logins during 11pm - 5am on any date between August 12 - 19. My current search is:
tag=vpn |eval legal_time=if(date_hour < 5 AND date_hour > 22,"No","Yes") |sort user _time | table user _time vendor_action legal_time | top limit=1000 vendor_action
Try this
tag=vpn earliest=-7d@d |eval HoD=strftime(_time, "%H") | where HoD>5 AND HoD<22 |sort user _time | table user _time vendor_action legal_time | top limit=1000 vendor_action
Thanks Sundareshr, but it only gives me times between 5am and 11pm, so basically the same results I was getting before. I am trying to find any logins between 11pm -5am (i.e. midnight, 1 am, 2 am, etc... not 6am, 7 am, 1pm, 2pm, etc...) I ended up resolving it by changing the < > to the below:
tag=vpn earliest=-7d@d |eval HoD=strftime(_time, "%H") | where HoD<5 AND HoD<22 |sort user _time | table user _time vendor_action legal_time | top limit=1000 vendor_action
That gave me the results I was looking for. Thank you for helping still as it caused me to take a look again and also learn some new search syntax.
Great. If this helped you arrive at the final answer, please accept/upvote to close it out.