Splunk Search

How to search for loggins outside a specified time range?

scootsblue48
New Member

Hi,

I have been looking to see if splunk has the capability of searching for loggins outside of a specified set time range on windows and linux systems. What I mean by this is that I am looking to see loggings that only happen before, lets say, 0600 and after 1600. any information that i can get would be much appreciated.

Labels (1)
Tags (1)
0 Karma

yuanliu
SplunkTrust
SplunkTrust

I think you are looking for strftime.  In the following, I'll also use relative_time to simplify the logic.

| eval shour = strftime(relative_time(_time, "+8h"), "%H") ``` push start to zero ```
| where shour < 15

Hope this helps. 

Tags (2)
0 Karma

PickleRick
SplunkTrust
SplunkTrust

Splunk can search for almost anything (some searches are simply easier done than others). It's about what kind of data you have in your Splunk. Remember that Splunk searches data it has stored in its indexes so you first have to feed the data from various systems to splunk. If you do that, then yes, it can perform such searches if your data is properly onboarded.

0 Karma
Get Updates on the Splunk Community!

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...

March Community Office Hours Security Series Uncovered!

Hello Splunk Community! In March, Splunk Community Office Hours spotlighted our fabulous Splunk Threat ...

Stay Connected: Your Guide to April Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars in April. This post ...