Splunk Search

How to use the "IF" statement to evaluate a window of time?

OfficeLackey
Engager

I apologize in advance as I'm new to Splunk searching...

I currently have a basic search for my dashboard that returns newly created user accounts;

index=wineventlog EventCode=4720| table _time Display_Name | sort generated_time

What I would like to do is enhance this with a new column to show me accounts created outside of normal business hours.

index=wineventlog EventCode=4720| table _time Display_Name | eval _time=if(_time(earliest="*/*/*:08:00:00" latest="*/*/*:17:00:00"), Normal, Abnormal)

I'm sure I'm completely screwing up this "IF" statement and evaluating the time window doesn't help it, so I'd appreciate any advice anyone has. Thanks!!

0 Karma
1 Solution

somesoni2
Revered Legend

Try like this

index=wineventlog EventCode=4720| table _time Display_Name 
| eval CreationTimeRemark=if(_time>=relative_time(_time,"@d+8h") AND _time<relative_time(_time,"@d+17h"), "Normal", "Abnormal")

The _time is a special field which (should) contains epoch value of the timestamp and should be kept that way for it's functionalities. Here the if conditions check if the value of _time (timestamp of event) falls within 8:00 and 17:00 of the same day.

View solution in original post

somesoni2
Revered Legend

Try like this

index=wineventlog EventCode=4720| table _time Display_Name 
| eval CreationTimeRemark=if(_time>=relative_time(_time,"@d+8h") AND _time<relative_time(_time,"@d+17h"), "Normal", "Abnormal")

The _time is a special field which (should) contains epoch value of the timestamp and should be kept that way for it's functionalities. Here the if conditions check if the value of _time (timestamp of event) falls within 8:00 and 17:00 of the same day.

OfficeLackey
Engager

Awesome! Totally works!! Thanks!!!

Now I'll spend the next 3 days figuring out how it works... 😉

Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In November, the Splunk Threat Research Team had one release of new security content via the Enterprise ...

Index This | Divide 100 by half. What do you get?

November 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...

Stay Connected: Your Guide to December Tech Talks, Office Hours, and Webinars!

❄️ Celebrate the season with our December lineup of Community Office Hours, Tech Talks, and Webinars! ...