Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Define condition per timeframe
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Define condition per timeframe
Hi there,
I hope for some help with a query.
I'm using the following query to get a list of all failed login attempts and so far it works.
index=smth EventCode=4625 Account_Domain="*"
|fillnull value=NULL
|eval Account_Name = mvindex(Account_Name,1)
|eval LoginType=case(Logon_Type=3,"RPC (not RDP)",Logon_Type=4,"Batch",Logon_Type=5,"Service",Logon_Type=7,"Screen Unlock/Session Resume",Logon_Type=10,"Remote Desktop",Logon_Type=11,"Cached",Logon_Type=9,"New Credentials")
|stats count by host, Account_Name, LoginType, _time, Account_Domain
|sort -count
I'd like to check whether it's possible to define additional condition based on predefined timeframes.
For example, I want to list all failed logins for domain RUSSIA for Russia's out of office hours "from 6pm to 7am"
Then the same condition but for ASIA and so on.
So, the condition will be - if failed login domain equals RUSSIA and timeframe equals (predefined value) then show in the report.
Hope it's clear what I want to do 🙂
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
you can convert your _time like this | eval TimeOfTheday=strftime(_time,"%R%p") and then again use the case of if conditions to put the time(hour) in the right buckets
Or You could first create epoch time for 6pm and 7am like this | eval StartTime=strptime("18:00","%H:%M") and | eval StartTime=strptime("07:00","%H:%M") and then apply ifelse :
index=smth EventCode=4625 Account_Domain="*"
| fillnull value=NULL
| eval Account_Name = mvindex(Account_Name,1)
| eval LoginType=case(Logon_Type=3,"RPC (not RDP)",Logon_Type=4,"Batch",Logon_Type=5,"Service",Logon_Type=7,"Screen Unlock/Session Resume",Logon_Type=10,"Remote Desktop",Logon_Type=11,"Cached",Logon_Type=9,"New Credentials")
| stats count by host, Account_Name, LoginType, _time, Account_Domain
| sort -count
| eval StartTime=strptime("18:00","%H:%M")
| eval EndTime=strptime("22:00","%H:%M") | eval Buckets=if(_time>StartTime AND _time<EndTime,"6PM to 7 AM",EverythingElse)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Perfect, thank you very much. I set it up for all the domains and it works like a charm.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
YOu do have the _time value in your final result, so you can extract hour value from it (or time of day), then you can have eval-case to assign the count to different field based on Account_Domain and hour values.
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Build the Future of Agentic AI: Join the Splunk Agentic Ops Hackathon
[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions
Splunk Community Badges!
