Security

Can anyone please help with constructing a search for notable events that came in outside of core hours?

LionWolf
Explorer
 
Labels (1)
0 Karma
1 Solution

richgalloway
SplunkTrust
SplunkTrust

This query looks for notable events that did not come between 0800 and 1800.  Modify it as necessary for your core hours.

index=notable
| where NOT (_time >= relative_time(_time, "@d+8h") AND _time <= relative_time(_time, "@d+18h"))
---
If this reply helps you, Karma would be appreciated.

View solution in original post

richgalloway
SplunkTrust
SplunkTrust

This query looks for notable events that did not come between 0800 and 1800.  Modify it as necessary for your core hours.

index=notable
| where NOT (_time >= relative_time(_time, "@d+8h") AND _time <= relative_time(_time, "@d+18h"))
---
If this reply helps you, Karma would be appreciated.

LionWolf
Explorer

This worked! Thank you so much! You taught me so much with this query!

Get Updates on the Splunk Community!

Splunk Observability Cloud | Unified Identity - Now Available for Existing Splunk ...

Raise your hand if you’ve already forgotten your username or password when logging into an account. (We can’t ...

Index This | How many sides does a circle have?

February 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

Registration for Splunk University is Now Open!

Are you ready for an adventure in learning?   Brace yourselves because Splunk University is back, and it's ...