Splunk Search

Search between specific time range

splunknewbie81
Engager

Hi,

Due to come compliance issue, there is a need to search for logs from 10pm to the following day 10am. This has to be a daily affair. 

Can someone please show me how this is done?

Thank You

Labels (3)
0 Karma

splunknewbie81
Engager

09/19/2021 03:55:51 PM
LogName=Security
EventCode=4624
EventType=0
ComputerName=AD-Server.testlab.local
SourceName=Microsoft Windows security auditing.
Type=Information
RecordNumber=27458
Keywords=Audit Success
TaskCategory=Logon
OpCode=Info
Message=An account was successfully logged on.

Subject:
Security ID: S-1-0-0
Account Name: - This is what I am trying to capture.
Account Domain: -
Logon ID: 0x0

Logon Information:
Logon Type: 3
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes

Impersonation Level: Impersonation

New Logon:
Security ID: S-1-5-18
Account Name: AD-SERVER$
Account Domain: TESTLAB.LOCAL
Logon ID: 0x4DCB94
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {416FA300-18E5-910D-E3C0-C4227DAEDEA2}

Process Information:
Process ID: 0x0
Process Name: -

Network Information:
Workstation Name:
Source Network Address: fe80::eda5:784c:f765:5574
Source Port: 61946

Detailed Authentication Information:
Logon Process: Kerberos
Authentication Package: Kerberos
Transited Services: -
Package Name (NTLM only): -
Key Length: 0

This event is generated when a logon session is created. It is generated on the computer that was accessed.

The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.

The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).

The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.

The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.

The impersonation level field indicates the extent to which a process in the logon session can impersonate.

The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requeste

0 Karma

splunknewbie81
Engager

@ITWhisperer,

Thanks for sharing. I made some changes and now this is how it turns out.

For the time range, this is my command -
[earliest=-7d@d-5h
latest=@d+7h]

As I am running this every Monday, I guess I should the search string should search for all the data 7 days back starting 1900 hours to following day 7am.

splunknewbie81_0-1632146475313.png

Not sure if anyone can assist but I manage to extract out the account name with the following command -
| rex "(?ms)Account Name:.*?Account Name:\s+(?<Account_Name>\S+)"

but it's extracting out all the (hostname$) and SYSTEM.

Is there anyway to drop all the hostname$ and SYSTEM and only show the rest?


Thank You

regards,
Alex

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

Can you share you raw events to see what you are trying to extract from where?

0 Karma

splunknewbie81
Engager

@ITWhisperer,

Yes, the timings are not correct but I was just testing to see if it work.

Is it necessary to include @d?

What is the purpose of bin span=1h _time?

If I run the search string every Monday against 1 week of data, I should be able to get all the information for that 1 week from 10pm to 10am. Please correct me if I am wrong.

Thank You

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

Is it necessary to include @d? - this snaps the time to the beginning of the day to give a known reference point from which to get to 10pm and 10am, if you didn't use it the time of the search would depend on when it was executed

What is the purpose of bin span=1h _time? - in my example, I was showing how to set the times, the example was how to do hourly counts of _internal based on the _time timestamp. This effectively groups all events in the same hour together.

If I run the search string every Monday against 1 week of data, I should be able to get all the information for that 1 week from 10pm to 10am. Please correct me if I am wrong. - yes, you should be able to get these events, but you would need more than just defining the earliest and latest, you would need to then exclude events you weren't interested in. You should have been clearer about what you were trying to do.

0 Karma

splunknewbie81
Engager

@ITWhisperer, I found this online and it work

earliest= "-1d@d+19h@h" latest="@d+7h@h"

Can you please explain in more detail on your search string?

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

@d snaps to the beginning of the day, -2 hours is 10pm the previous day, +10 hours is 10 am on the current day which is what you said you wanted. The solution you found elsewhere goes from 7pm to 7am which is not what you wanted

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

For example

index=_internal earliest=@d-2h latest=@d+10h | bin span=1h _time | stats count by _time
0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...