topic Re: Getting logs for after hours access in Getting Data In

Getting logs for after hours access

kengilmour — Tue, 09 Oct 2012 14:33:54 GMT

Hello,

I want to be able to get logs from Splunk for anyone who came in to the building between 7PM and 7AM the next morning, and search back for the last 30 days but I'm having a difficult time finding out how to do it.

I've tried this:

index="main" source="accesscontrol.csv" | timechart count by User

But it truncates it down to just a few users and adds the rest of the users as "other". I'd just like a table of all users who were in the building between those hours.

Thanks!

Ken

Re: Getting logs for after hours access

alacercogitatus — Tue, 09 Oct 2012 14:45:18 GMT

Can you post an example of what is located in accesscontrol.csv?

Re: Getting logs for after hours access

dwaddle — Tue, 09 Oct 2012 14:52:12 GMT

If you want a table, a timechart is probably not the route you want to take. You might want to do something like this:

index="main" source="accesscontrol.csv" 
| eval access_hour=strftime(_time,"%H")
| where ( access_hour >= 19 OR access_hour < 7  ) 
| table _time,User

Re: Getting logs for after hours access

yannK — Tue, 09 Oct 2012 15:03:46 GMT

or directly date_hour.

index="main" source="accesscontrol.csv" (date_hour <7 OR date_hour>=19) | stats count values(date_hour) AS list_of_hours by User

Re: Getting logs for after hours access

kengilmour — Tue, 09 Oct 2012 15:09:20 GMT

That's excellent, thanks very much, it worked!

Re: Getting logs for after hours access

dwaddle — Tue, 09 Oct 2012 16:04:46 GMT

Excellent. Could you accept the answer please, by clicking on the checkbox to the left?

Re: Getting logs for after hours access

jwalzerpitt — Mon, 28 Sep 2020 18:09:16 GMT

If I wanted to get the count per user would the following be correct:

index="main" source=accesscontrol.csv"
| eval access_hour=strftime(_time,"%H") | where ( access_hour >= 19 OR access_hour < 7 )

| table _time,User | top 10 User showperc=false

Thx