Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How do I identify user activity outside normal hours across time zones

danielransell
Path Finder
‎04-27-2017 05:19 AM

Can someone help me identify whether I have a time zone issue or a search implementation issue?

I have a props.conf under SPLUNKHOME\etc\system\local with the following:
[host::CA*]
TZ = US/Pacific

I am in the Eastern time zone and some of the computers I am collecting events for are in the Pacific time zone (named CA01, CA02, etc).
I am searching through Windows Security logs for after hour user activity where the hour is greater than 18 or less than 6.
My events for lax computers include events occurring at 3PM Pacific or later.

If I run a search, for all events with the applicable host name and pipe those results to a table with _time and _raw, there is a three hour difference between the _time value and the timestamp in the _raw event.
Using *./splunk cmd btool props list --debug *, I confirmed that my [host::CA] and TZ = US/Pacific were in the active props configuration.

My searches for events where the hour is greater than 18 rely on the following:
search string | eval hour = strftime(_time, "%H") | where (hour<=5 OR hour >=18)

Any suggestions?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

dineshraj9
Builder
‎04-27-2017 05:41 AM

Using the below search will give your set hour based on your local timezone setting in Splunk -

search string | eval hour = strftime(_time, "%H") | where (hour<=5 OR hour >=18)

What you can try is,

1) Extract the hour part from the raw event using rex and then check if that value is < 6 or > 18.

2) Adjust _time and adjust all events to same timezone and then do the check.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

dineshraj9
Builder
‎04-27-2017 05:41 AM

Using the below search will give your set hour based on your local timezone setting in Splunk -

search string | eval hour = strftime(_time, "%H") | where (hour<=5 OR hour >=18)

What you can try is,

1) Extract the hour part from the raw event using rex and then check if that value is < 6 or > 18.

2) Adjust _time and adjust all events to same timezone and then do the check.

0 Karma
Reply
Solved! Jump to solution

danielransell
Path Finder
‎04-27-2017 06:38 AM

Thanks - My intentions are to include the results in a recurring report, so I guess my next step is to figure out Windows Security Log time extraction from the native event. I appreciate the review and feedback.

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Enterprise Security(ES) 7.3 is approaching the end of support. Get ready for ...

Hi friends!    At Splunk, your product success is our top priority. With Enterprise Security (ES), we're here ...

Splunk Enterprise Security 8.x: The Essential Upgrade for Threat Detection, ...

Watch On Demand the Tech Talk, and empower your SOC to reach new heights! Duration: 1 hour  Prepare to ...

Splunk Observability for AI

Don’t miss out on an exciting Tech Talk on Splunk Observability for AI!Discover how Splunk’s agentic AI ...