https://community.splunk.com/t5/Getting-Data-In/How-to-create-after-hour-report/m-p/624869#M107412 <P>I am trying to create an after hour query with specific time frames 1. Mon 0000-0700 and 1900-2400, 2. Tue&nbsp;0000-0700 and 1900-2400, 3. Wed&nbsp;0000-0700 and 1900-2400, Thur&nbsp;0000-0700 and 1900-2400, Fri&nbsp;0000-0700 and 1900-2400, Sat 0000-2400, and Sun 0000-2400. I have my Cron Express set for 43 10***&nbsp;</P> <P>| sort - _time</P> <P>| eval user=lower(user)</P> <P>|eval Day=strftime(_time,”%A”)</P> <P>|eval Hour=strftime(_time,”%H”)</P> <P>|eval Date=strftime(_time,”Y-%m-%d”)</P> <P>| search Hour IN (19,20,21,22,23,24,0,1,2,3,4,5,6,7)</P> <P>| table Date, Day, Hour, “User Account”</P> <P>I like the way this is displayed but I cannot figure out how to combine this query with a weekend (FRI 1900-Mon 0700) query. Or will I have to have two different queries? Once completed this will make a good dashboard.&nbsp;</P> Tue, 20 Dec 2022 16:50:28 GMT Johnsonbc 2022-12-20T16:50:28Z https://community.splunk.com/t5/Getting-Data-In/How-to-create-after-hour-report/m-p/624869#M107412 <P>I am trying to create an after hour query with specific time frames 1. Mon 0000-0700 and 1900-2400, 2. Tue&nbsp;0000-0700 and 1900-2400, 3. Wed&nbsp;0000-0700 and 1900-2400, Thur&nbsp;0000-0700 and 1900-2400, Fri&nbsp;0000-0700 and 1900-2400, Sat 0000-2400, and Sun 0000-2400. I have my Cron Express set for 43 10***&nbsp;</P> <P>| sort - _time</P> <P>| eval user=lower(user)</P> <P>|eval Day=strftime(_time,”%A”)</P> <P>|eval Hour=strftime(_time,”%H”)</P> <P>|eval Date=strftime(_time,”Y-%m-%d”)</P> <P>| search Hour IN (19,20,21,22,23,24,0,1,2,3,4,5,6,7)</P> <P>| table Date, Day, Hour, “User Account”</P> <P>I like the way this is displayed but I cannot figure out how to combine this query with a weekend (FRI 1900-Mon 0700) query. Or will I have to have two different queries? Once completed this will make a good dashboard.&nbsp;</P> Tue, 20 Dec 2022 16:50:28 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-create-after-hour-report/m-p/624869#M107412 Johnsonbc 2022-12-20T16:50:28Z https://community.splunk.com/t5/Getting-Data-In/How-to-create-after-hour-report/m-p/624874#M107414 <P>Use <FONT face="courier new,courier">OR</FONT> to test for weekend days or weekday hours.</P><LI-CODE lang="markup">| sort - _time | eval user=lower(user) | eval Day=strftime(_time,”%A”) | eval Hour=strftime(_time,”%H”) | eval Date=strftime(_time,”Y-%m-%d”) | search Day IN (Saturday Sunday) OR Hour IN (19,20,21,22,23,24,0,1,2,3,4,5,6,7) | table Date, Day, Hour, “User Account”</LI-CODE><P>&nbsp;</P> Tue, 20 Dec 2022 16:52:15 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-create-after-hour-report/m-p/624874#M107414 richgalloway 2022-12-20T16:52:15Z https://community.splunk.com/t5/Getting-Data-In/How-to-create-after-hour-report/m-p/624876#M107415 <P>That work but it is not capturing 24 hours on Sat &amp; Sun (0000-2400). It is only doing my week day Hours IN&nbsp;</P> Tue, 20 Dec 2022 16:59:07 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-create-after-hour-report/m-p/624876#M107415 Johnsonbc 2022-12-20T16:59:07Z https://community.splunk.com/t5/Getting-Data-In/How-to-create-after-hour-report/m-p/624890#M107416 <P>It appears to capture the right times for me.</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="richgalloway_0-1671563710116.png" style="width: 400px;"><img src="https://community.splunk.com/t5/image/serverpage/image-id/23094i0A25DF1A75EAE908/image-size/medium?v=v2&amp;px=400" role="button" title="richgalloway_0-1671563710116.png" alt="richgalloway_0-1671563710116.png" /></span></P><P>&nbsp;</P> Tue, 20 Dec 2022 19:15:21 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-create-after-hour-report/m-p/624890#M107416 richgalloway 2022-12-20T19:15:21Z https://community.splunk.com/t5/Getting-Data-In/How-to-create-after-hour-report/m-p/624891#M107417 <P>It was not working for me so, I created a dashboard with (Mon-Fri) so far.&nbsp;</P><P>| sort - _time</P><P>| eval user=lower(user)</P><P>|eval Day=strftime(_time,”%A”)</P><P>|eval Hour=strftime(_time,”%H”)</P><P>|eval Date=strftime(_time,”Y-%m-%d”)</P><P>| search Day IN (Monday) Hour IN (0,1,2,3,4,5,6,19,20,21,22,23)</P><P>| stats sum(user)</P><P>This gives me the number of user that log on after hours Mon-Fri and can drill down if need to. Still working on the weekend hours.</P> Tue, 20 Dec 2022 19:28:37 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-create-after-hour-report/m-p/624891#M107417 Johnsonbc 2022-12-20T19:28:37Z https://community.splunk.com/t5/Getting-Data-In/How-to-create-after-hour-report/m-p/624964#M107427 <P>I think the reason it was not working for me is because I am running a PIVOT. I was having issues running "Earliest &amp; Latest" and other time &amp; date commands.</P> Wed, 21 Dec 2022 11:52:37 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-create-after-hour-report/m-p/624964#M107427 Johnsonbc 2022-12-21T11:52:37Z