Getting Data In

How do I identify user activity outside normal hours across time zones

danielransell
Path Finder

Can someone help me identify whether I have a time zone issue or a search implementation issue?

I have a props.conf under SPLUNKHOME\etc\system\local with the following:
[host::CA*]
TZ = US/Pacific

I am in the Eastern time zone and some of the computers I am collecting events for are in the Pacific time zone (named CA01, CA02, etc).
I am searching through Windows Security logs for after hour user activity where the hour is greater than 18 or less than 6.
My events for lax computers include events occurring at 3PM Pacific or later.

If I run a search, for all events with the applicable host name and pipe those results to a table with _time and _raw, there is a three hour difference between the _time value and the timestamp in the _raw event.
Using *./splunk cmd btool props list --debug *, I confirmed that my [host::CA] and TZ = US/Pacific were in the active props configuration.

My searches for events where the hour is greater than 18 rely on the following:
search string | eval hour = strftime(_time, "%H") | where (hour<=5 OR hour >=18)

Any suggestions?

0 Karma
1 Solution

dineshraj9
Builder

Using the below search will give your set hour based on your local timezone setting in Splunk -

search string | eval hour = strftime(_time, "%H") | where (hour<=5 OR hour >=18)

What you can try is,

1) Extract the hour part from the raw event using rex and then check if that value is < 6 or > 18.

2) Adjust _time and adjust all events to same timezone and then do the check.

View solution in original post

0 Karma

dineshraj9
Builder

Using the below search will give your set hour based on your local timezone setting in Splunk -

search string | eval hour = strftime(_time, "%H") | where (hour<=5 OR hour >=18)

What you can try is,

1) Extract the hour part from the raw event using rex and then check if that value is < 6 or > 18.

2) Adjust _time and adjust all events to same timezone and then do the check.

0 Karma

danielransell
Path Finder

Thanks - My intentions are to include the results in a recurring report, so I guess my next step is to figure out Windows Security Log time extraction from the native event. I appreciate the review and feedback.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...