Date AND Time Range

whathuh · ‎09-09-2013

I'm pretty new to Splunk, so hopefully this is an easy question. I've looked all over the community questions and I have no problems finding out how to search for ranges of dates OR times, but for the life of me I can't figure out how to do dates AND times.

Basically I want to search for two EventCodes: 4624 and 4634. Because there are several thousand results on any given week, my only real concern is WHEN they logged on. I need to know when these IDs were created between the hours of 1700 and 0500 each day. I'd like to run this scan weekly, so is there a way to do -7d AND between 1700 and 0500 the next day? I hope I'm articulating this correctly. Any help would be greatly appreciated.

-Adam

adrianathome · ‎09-09-2013

Adam,
This answer should point you in the right direction.

http://answers.splunk.com/answers/61365/getting-logs-for-after-hours-access

lukejadamec · ‎09-09-2013

I've been looking for that post for an hour since I saw this post.

Date AND Time Range

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Detection Engineering Office Hours: Real-World Troubleshooting & Q&A

Developer Spotlight with Mika Borner

Continue Your Federation Journey: Join Session 3 of the Bootcamp Series

Join the Conversation

Date AND Time Range

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Detection Engineering Office Hours: Real-World Troubleshooting & Q&A

Developer Spotlight with Mika Borner

Continue Your Federation Journey: Join Session 3 of the Bootcamp Series