Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Define condition per timeframe

swimena
Explorer
‎02-19-2019 06:09 AM

Hi there,

I hope for some help with a query.

I'm using the following query to get a list of all failed login attempts and so far it works. 

index=smth EventCode=4625 Account_Domain="*"
 |fillnull value=NULL
 |eval Account_Name = mvindex(Account_Name,1) 
 |eval LoginType=case(Logon_Type=3,"RPC (not RDP)",Logon_Type=4,"Batch",Logon_Type=5,"Service",Logon_Type=7,"Screen Unlock/Session Resume",Logon_Type=10,"Remote Desktop",Logon_Type=11,"Cached",Logon_Type=9,"New Credentials")
 |stats count by host, Account_Name, LoginType, _time, Account_Domain
 |sort -count

I'd like to check whether it's possible to define additional condition based on predefined timeframes.

For example, I want to list all failed logins for domain RUSSIA for Russia's out of office hours "from 6pm to 7am"
Then the same condition but for ASIA and so on.

So, the condition will be - if failed login domain equals RUSSIA and timeframe equals (predefined value) then show in the report.

Hope it's clear what I want to do 🙂

0 Karma
Reply

macadminrohit
Contributor
‎02-19-2019 10:33 AM

you can convert your _time like this | eval TimeOfTheday=strftime(_time,"%R%p") and then again use the case of if conditions to put the time(hour) in the right buckets

Or You could first create epoch time for 6pm and 7am like this | eval StartTime=strptime("18:00","%H:%M") and | eval StartTime=strptime("07:00","%H:%M") and then apply ifelse :

index=smth EventCode=4625 Account_Domain="*" 
| fillnull value=NULL 
| eval Account_Name = mvindex(Account_Name,1) 
| eval LoginType=case(Logon_Type=3,"RPC (not RDP)",Logon_Type=4,"Batch",Logon_Type=5,"Service",Logon_Type=7,"Screen Unlock/Session Resume",Logon_Type=10,"Remote Desktop",Logon_Type=11,"Cached",Logon_Type=9,"New Credentials") 
| stats count by host, Account_Name, LoginType, _time, Account_Domain 
| sort -count 
| eval StartTime=strptime("18:00","%H:%M") 
| eval EndTime=strptime("22:00","%H:%M") | eval Buckets=if(_time>StartTime AND _time<EndTime,"6PM to 7 AM",EverythingElse)
0 Karma
Reply

swimena
Explorer
‎02-19-2019 10:34 PM

Perfect, thank you very much. I set it up for all the domains and it works like a charm.

0 Karma
Reply

somesoni2
Revered Legend
‎02-19-2019 06:49 AM

YOu do have the _time value in your final result, so you can extract hour value from it (or time of day), then you can have eval-case to assign the count to different field based on Account_Domain and hour values.

0 Karma
Reply
Get Updates on the Splunk Community!

Index This | What’s a riddle wrapped in an enigma?

September 2025 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...

BORE at .conf25

Boss Of Regular Expression (BORE) was an interactive session run again this year at .conf25 by the brilliant ...

OpenTelemetry for Legacy Apps? Yes, You Can!

This article is a follow-up to my previous article posted on the OpenTelemetry Blog, "Your Critical Legacy App ...