Hi All,
I am new to splunk and need some help. I am running a search to look for Doamin Admin account activity. I have the query running right now for failed login attempts for my admin accounts and I am dumping it into a table with the source, destination, count, etc... I would like to run another search for "off-hour" logons. Same search as before, but in this case only look for fails or successes between 7:00PM and 6:00AM each day.
Is this possible?
Any help would be greatly appreciated.
Thanks,
Greg
in the search add conditions on the hour of the timestamp (see the fields date_*)
date_hour<6 OR date_hour>19
I think you're going to have to use the date_hour
and date_wday
fields to satisfy your search needs. The earliest
and latest
search parameters do not appear to address this case. This might do the trick:
(date_hour>18 OR date_hour<7) OR (date_wday=Sunday OR date_wday=Saturday)