https://community.splunk.com/t5/Splunk-Search/See-what-time-range-users-search/m-p/378701#M111008 <P>Ah, damn, I saw that, but forget to post it here. Sorry!</P> Wed, 02 May 2018 15:13:00 GMT xpac 2018-05-02T15:13:00Z https://community.splunk.com/t5/Splunk-Search/See-what-time-range-users-search/m-p/378695#M111002 <P>I want to write a query to see what time range users are using in their searches. e.g. 90% of searches use the last 24 hours and 10% of searches use 1+ day ago for the time frame.</P> <P>I am using the following search:</P> <PRE><CODE>index="_audit" action=search | eval searchExecutedTime = strptime(timestamp,"%m/%d/%Y") | eval searchTimeFrameStart = strptime(apiStartTime,"%m/%d/%Y") | eval past = searchExecutedTime - searchTimeFrameStart | table past </CODE></PRE> <P>When I run this search it just opens to the statistics tab with an empty table but the tab shows that there are 2000+ results.<BR /> <span class="lia-inline-image-display-wrapper" image-alt="alt text"><img src="https://community.splunk.com/t5/image/serverpage/image-id/4895i63CD14D6FB6B71D5/image-size/large?v=v2&amp;px=999" role="button" title="alt text" alt="alt text" /></span></P> Tue, 01 May 2018 15:19:12 GMT https://community.splunk.com/t5/Splunk-Search/See-what-time-range-users-search/m-p/378695#M111002 dtow1 2018-05-01T15:19:12Z https://community.splunk.com/t5/Splunk-Search/See-what-time-range-users-search/m-p/378696#M111003 <P>Give this a try</P> <PRE><CODE>index="_audit" action=search search_id=* api_et=* api_lt=* | eval Past=tostring(round(api_lt-api_et),"duration") | stats count by Past </CODE></PRE> Tue, 01 May 2018 15:36:14 GMT https://community.splunk.com/t5/Splunk-Search/See-what-time-range-users-search/m-p/378696#M111003 somesoni2 2018-05-01T15:36:14Z https://community.splunk.com/t5/Splunk-Search/See-what-time-range-users-search/m-p/378697#M111004 <P>I just checked my audit log, and at least from what I see your timestamp format are completely off. <CODE>timestamp</CODE> and <CODE>apiStartTime</CODE> are in completely different formats, returning both fields as empty, resulting in <CODE>past</CODE> being empty, and therefore getting an empty table with 2000+ lines, because in all events the <CODE>past</CODE> field does not exist.</P> <P>If you fix your timestamp parsings, everything should be fine <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P> <P>Check the <A href="http://strftime.org/">strftime.org documentation</A> for an overview.</P> Tue, 01 May 2018 15:45:41 GMT https://community.splunk.com/t5/Splunk-Search/See-what-time-range-users-search/m-p/378697#M111004 xpac 2018-05-01T15:45:41Z https://community.splunk.com/t5/Splunk-Search/See-what-time-range-users-search/m-p/378698#M111005 <P>Thank you very much. I think you found my problem (user error). I have been able to correct the timestamp extraction and that one is working great now. I am still unable to get results with the apiStartTime part though. Do you see anything wrong with it?</P> <P>Here is what I am trying to match and what I used:</P> <PRE><CODE>Sat Mar 31 00:00:00 2018 “%a %b %d %H:%M:%S %Y” </CODE></PRE> Tue, 01 May 2018 16:30:34 GMT https://community.splunk.com/t5/Splunk-Search/See-what-time-range-users-search/m-p/378698#M111005 dtow1 2018-05-01T16:30:34Z https://community.splunk.com/t5/Splunk-Search/See-what-time-range-users-search/m-p/378699#M111006 <P>It needed single quotes included. "'%a...%Y'"</P> Wed, 02 May 2018 15:02:35 GMT https://community.splunk.com/t5/Splunk-Search/See-what-time-range-users-search/m-p/378699#M111006 dtow1 2018-05-02T15:02:35Z https://community.splunk.com/t5/Splunk-Search/See-what-time-range-users-search/m-p/378700#M111007 <P>Thank you that was helpful. </P> Wed, 02 May 2018 15:03:37 GMT https://community.splunk.com/t5/Splunk-Search/See-what-time-range-users-search/m-p/378700#M111007 dtow1 2018-05-02T15:03:37Z https://community.splunk.com/t5/Splunk-Search/See-what-time-range-users-search/m-p/378701#M111008 <P>Ah, damn, I saw that, but forget to post it here. Sorry!</P> Wed, 02 May 2018 15:13:00 GMT https://community.splunk.com/t5/Splunk-Search/See-what-time-range-users-search/m-p/378701#M111008 xpac 2018-05-02T15:13:00Z https://community.splunk.com/t5/Splunk-Search/See-what-time-range-users-search/m-p/378702#M111009 <P>No worries, that was the info I needed and it got me straightened out. I appreciate it!</P> Wed, 02 May 2018 15:15:17 GMT https://community.splunk.com/t5/Splunk-Search/See-what-time-range-users-search/m-p/378702#M111009 dtow1 2018-05-02T15:15:17Z