i defined a daily alert to monitor the abnormal login from 10 p.m. to 6 a.m. , like below:
"EventCode=4624 Keywords="Audit Success" LogonType=10 OR LogonType=2 earliest=-1d@d+22h latest=@d+6h "
now, i need to summary a monthly report , but when i change the time range to previous month, it doesn't work, the search still return the daily result for me , i need to keep this time range (10 p.m-6 a.m) per day , and combine everyday result to one report.
Experts , could you give some suggestion or search sentence ? thanks in advance.
@llidan, since you seem to be monitoring Windows Event Viewer Log data, you should have default fields like datehour, datemday etc extracted from _time. You can use these in your base search to filter only required events from (22-23) PM and (0-5) AM.
Following is a query as per your current search which will pull previous month data. Hour data is from 22-23 and 0-5. Alternatively if you are on 6.6. or higher, you can also use
date_hour IN (0,1,2,3,4,5,22,23).
EventCode=4624 Keywords="Audit Success" Logon_Type=10 OR Logon_Type=2 (date_hour>=22 AND date_hour<24) OR (date_hour>=0 AND date_hour<6) earliest=-1mon@mon latest=@mon | stats count(eval(date_hour>=22 AND date_hour<24)) as night_window count(eval(date_hour>=0 AND date_hour<6)) as morning_window by date_year date_month date_mday | streamstats last(date_mday) as previous_date last(night_window) as previous_night_window current=f window=1 | eval daily_total=morning_window+previous_night_window | eval Date=date_year." ".date_month." ".date_mday | where isnotnull(daily_total) | fields Date daily_total
PS: I have used streamstats to pull previous date and night window event count to total in the current date morning window. As your time window spans across two days.
Alternatively, since you need 22, 23 hours from previous day to be accounted in the next day, you can also mess with your _time and push it by 2 hours so that 22, and 23 from previous day become 0 and 1 on the same day.
EventCode=4624 Keywords="Audit Success" Logon_Type=10 OR Logon_Type=2 date_hour IN (0,1,2,3,4,5,22,23) | eval _time=relative_time(_time,"+2h") | timechart span=1d count | where count>0
Please try out and confirm!
thanks for your kindly answer , but as I try the sentence you given , the field "date_hour" do not work , it's not exist in the splunk , that's you manually extract ? or a default field ?