- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How to use the "IF" statement to evaluate a window...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I apologize in advance as I'm new to Splunk searching...
I currently have a basic search for my dashboard that returns newly created user accounts;
index=wineventlog EventCode=4720| table _time Display_Name | sort generated_time
What I would like to do is enhance this with a new column to show me accounts created outside of normal business hours.
index=wineventlog EventCode=4720| table _time Display_Name | eval _time=if(_time(earliest="*/*/*:08:00:00" latest="*/*/*:17:00:00"), Normal, Abnormal)
I'm sure I'm completely screwing up this "IF" statement and evaluating the time window doesn't help it, so I'd appreciate any advice anyone has. Thanks!!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try like this
index=wineventlog EventCode=4720| table _time Display_Name
| eval CreationTimeRemark=if(_time>=relative_time(_time,"@d+8h") AND _time<relative_time(_time,"@d+17h"), "Normal", "Abnormal")
The _time is a special field which (should) contains epoch value of the timestamp and should be kept that way for it's functionalities. Here the if conditions check if the value of _time (timestamp of event) falls within 8:00 and 17:00 of the same day.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try like this
index=wineventlog EventCode=4720| table _time Display_Name
| eval CreationTimeRemark=if(_time>=relative_time(_time,"@d+8h") AND _time<relative_time(_time,"@d+17h"), "Normal", "Abnormal")
The _time is a special field which (should) contains epoch value of the timestamp and should be kept that way for it's functionalities. Here the if conditions check if the value of _time (timestamp of event) falls within 8:00 and 17:00 of the same day.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Awesome! Totally works!! Thanks!!!
Now I'll spend the next 3 days figuring out how it works... 😉
Detecting Remote Code Executions With the Splunk Threat Research Team
Observability | Use Synthetic Monitoring for Website Metadata Verification
More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk
