topic How to use the "IF" statement to evaluate a window of time? in Splunk Search

How to use the "IF" statement to evaluate a window of time?

OfficeLackey — Fri, 15 Jun 2018 15:13:13 GMT

I apologize in advance as I'm new to Splunk searching...

I currently have a basic search for my dashboard that returns newly created user accounts;

index=wineventlog EventCode=4720| table _time Display_Name | sort generated_time

What I would like to do is enhance this with a new column to show me accounts created outside of normal business hours.

index=wineventlog EventCode=4720| table _time Display_Name | eval _time=if(_time(earliest="*/*/*:08:00:00" latest="*/*/*:17:00:00"), Normal, Abnormal)

I'm sure I'm completely screwing up this "IF" statement and evaluating the time window doesn't help it, so I'd appreciate any advice anyone has. Thanks!!

Re: How to use the "IF" statement to evaluate a window of time?

somesoni2 — Fri, 15 Jun 2018 18:12:07 GMT

Try like this

index=wineventlog EventCode=4720| table _time Display_Name 
| eval CreationTimeRemark=if(_time>=relative_time(_time,"@d+8h") AND _time<relative_time(_time,"@d+17h"), "Normal", "Abnormal")

The _time is a special field which (should) contains epoch value of the timestamp and should be kept that way for it's functionalities. Here the if conditions check if the value of _time (timestamp of event) falls within 8:00 and 17:00 of the same day.

Re: How to use the "IF" statement to evaluate a window of time?

OfficeLackey — Fri, 15 Jun 2018 20:29:32 GMT

Awesome! Totally works!! Thanks!!!

Now I'll spend the next 3 days figuring out how it works... 😉