Hi,
we have this scenario:
User is login in to a system on date A.
To be allowed to do so he/she has to order access. From date X to date Y.
So we have no find all order requests from that user and find out if the date A is in the timeframe from X and Y.
Kind Regards,
jens
Sounds like you have two sets of events - one for order_requests, and one that is the users actually accessing the system.
Let me assume that these are two different sourcetypes, and also that the userId is extracted as the same field name in each sourcetype, eg: userId
(if not you would use a little more conditional eval to make yourself a single normalized field).
Lets also say that the order_request events have two fields - requested_start
and requested_end
, defining the interval of the requested access time.
Then this search would give you the usernames who had accessed the system outside of the allowed timerange, and their various times of the unauthorized access.
sourcetype=order_request OR sourcetype=access
| eval access_time=if(sourcetype=="access",_time,null())
| stats last(requested_start) as start last(requested_end) as end values(access_time) as access_time by userId
| mvexpand access_time
| where access_time>end OR access_time<start
| table userId start end access_time