Splunk Search

How to use the "IF" statement to evaluate a window of time?

OfficeLackey
Engager

I apologize in advance as I'm new to Splunk searching...

I currently have a basic search for my dashboard that returns newly created user accounts;

index=wineventlog EventCode=4720| table _time Display_Name | sort generated_time

What I would like to do is enhance this with a new column to show me accounts created outside of normal business hours.

index=wineventlog EventCode=4720| table _time Display_Name | eval _time=if(_time(earliest="*/*/*:08:00:00" latest="*/*/*:17:00:00"), Normal, Abnormal)

I'm sure I'm completely screwing up this "IF" statement and evaluating the time window doesn't help it, so I'd appreciate any advice anyone has. Thanks!!

0 Karma
1 Solution

somesoni2
Revered Legend

Try like this

index=wineventlog EventCode=4720| table _time Display_Name 
| eval CreationTimeRemark=if(_time>=relative_time(_time,"@d+8h") AND _time<relative_time(_time,"@d+17h"), "Normal", "Abnormal")

The _time is a special field which (should) contains epoch value of the timestamp and should be kept that way for it's functionalities. Here the if conditions check if the value of _time (timestamp of event) falls within 8:00 and 17:00 of the same day.

View solution in original post

somesoni2
Revered Legend

Try like this

index=wineventlog EventCode=4720| table _time Display_Name 
| eval CreationTimeRemark=if(_time>=relative_time(_time,"@d+8h") AND _time<relative_time(_time,"@d+17h"), "Normal", "Abnormal")

The _time is a special field which (should) contains epoch value of the timestamp and should be kept that way for it's functionalities. Here the if conditions check if the value of _time (timestamp of event) falls within 8:00 and 17:00 of the same day.

OfficeLackey
Engager

Awesome! Totally works!! Thanks!!!

Now I'll spend the next 3 days figuring out how it works... 😉

Get Updates on the Splunk Community!

Developer Spotlight with Paul Stout

Welcome to our very first developer spotlight release series where we'll feature some awesome Splunk ...

State of Splunk Careers 2024: Maximizing Career Outcomes and the Continued Value of ...

For the past four years, Splunk has partnered with Enterprise Strategy Group to conduct a survey that gauges ...

Data-Driven Success: Splunk & Financial Services

Splunk streamlines the process of extracting insights from large volumes of data. In this fast-paced world, ...