Find records within a timeframe defined by another...

JensT · ‎02-05-2013

Hi,

we have this scenario:

User is login in to a system on date A.
To be allowed to do so he/she has to order access. From date X to date Y.

So we have no find all order requests from that user and find out if the date A is in the timeframe from X and Y.

Kind Regards,

jens

sideview · ‎02-05-2013

Sounds like you have two sets of events - one for order_requests, and one that is the users actually accessing the system.

Let me assume that these are two different sourcetypes, and also that the userId is extracted as the same field name in each sourcetype, eg: userId (if not you would use a little more conditional eval to make yourself a single normalized field).

Lets also say that the order_request events have two fields - requested_start and requested_end, defining the interval of the requested access time.

Then this search would give you the usernames who had accessed the system outside of the allowed timerange, and their various times of the unauthorized access.

sourcetype=order_request OR sourcetype=access 
| eval access_time=if(sourcetype=="access",_time,null()) 
| stats last(requested_start) as start last(requested_end) as end values(access_time) as access_time by userId
| mvexpand access_time
| where access_time>end OR access_time<start
| table userId start end access_time

Find records within a timeframe defined by another search.

Introducing the Splunk Community Dashboard Challenge!

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...