I apologize in advance as I'm new to Splunk searching...
I currently have a basic search for my dashboard that returns newly created user accounts;
index=wineventlog EventCode=4720| table _time Display_Name | sort generated_time
What I would like to do is enhance this with a new column to show me accounts created outside of normal business hours.
index=wineventlog EventCode=4720| table _time Display_Name | eval _time=if(_time(earliest="*/*/*:08:00:00" latest="*/*/*:17:00:00"), Normal, Abnormal)
I'm sure I'm completely screwing up this "IF" statement and evaluating the time window doesn't help it, so I'd appreciate any advice anyone has. Thanks!!
Try like this
index=wineventlog EventCode=4720| table _time Display_Name
| eval CreationTimeRemark=if(_time>=relative_time(_time,"@d+8h") AND _time<relative_time(_time,"@d+17h"), "Normal", "Abnormal")
The _time is a special field which (should) contains epoch value of the timestamp and should be kept that way for it's functionalities. Here the if conditions check if the value of _time (timestamp of event) falls within 8:00 and 17:00 of the same day.
Try like this
index=wineventlog EventCode=4720| table _time Display_Name
| eval CreationTimeRemark=if(_time>=relative_time(_time,"@d+8h") AND _time<relative_time(_time,"@d+17h"), "Normal", "Abnormal")
The _time is a special field which (should) contains epoch value of the timestamp and should be kept that way for it's functionalities. Here the if conditions check if the value of _time (timestamp of event) falls within 8:00 and 17:00 of the same day.
Awesome! Totally works!! Thanks!!!
Now I'll spend the next 3 days figuring out how it works... 😉