Join the Conversation
- Find Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- How do I identify user activity outside normal hou...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Can someone help me identify whether I have a time zone issue or a search implementation issue?
I have a props.conf under SPLUNKHOME\etc\system\local with the following:
[host::CA*]
TZ = US/Pacific
I am in the Eastern time zone and some of the computers I am collecting events for are in the Pacific time zone (named CA01, CA02, etc).
I am searching through Windows Security logs for after hour user activity where the hour is greater than 18 or less than 6.
My events for lax computers include events occurring at 3PM Pacific or later.
If I run a search, for all events with the applicable host name and pipe those results to a table with _time and _raw, there is a three hour difference between the _time value and the timestamp in the _raw event.
Using *./splunk cmd btool props list --debug *, I confirmed that my [host::CA] and TZ = US/Pacific were in the active props configuration.
My searches for events where the hour is greater than 18 rely on the following:
search string | eval hour = strftime(_time, "%H") | where (hour<=5 OR hour >=18)
Any suggestions?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Using the below search will give your set hour based on your local timezone setting in Splunk -
search string | eval hour = strftime(_time, "%H") | where (hour<=5 OR hour >=18)
What you can try is,
1) Extract the hour part from the raw event using rex and then check if that value is < 6 or > 18.
2) Adjust _time and adjust all events to same timezone and then do the check.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Using the below search will give your set hour based on your local timezone setting in Splunk -
search string | eval hour = strftime(_time, "%H") | where (hour<=5 OR hour >=18)
What you can try is,
1) Extract the hour part from the raw event using rex and then check if that value is < 6 or > 18.
2) Adjust _time and adjust all events to same timezone and then do the check.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks - My intentions are to include the results in a recurring report, so I guess my next step is to figure out Windows Security Log time extraction from the native event. I appreciate the review and feedback.
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Index This | What travels the world but is also stuck in place?
Discover New Use Cases: Unlock Greater Value from Your Existing Splunk Data
Continue Your Journey: Join Session 2 of the Data Management and Federation Bootcamp ...
