Search event logs that only accrue between 4PM to ...

kpers · ‎02-27-2014

Looking to see if there is a way to search for only specific windows event logs that accrue after 4 pm up to 11:59 pm each day.

I know I can do this on a specific day but I would like to get a look at all the times a user locks their workstation that accrue around the time people leave work for the day all the way till the end of the day and see it over a weeks span or even an months span.

linu1988 · ‎02-27-2014

Hello,
Try this

index=blah EventCode=""|eval Hour=strftime(_time,"%H")|table EventCode,Message|where Hour >16 AND Hour <= 23

It's not an efficient search but will serve your purpose.

Thanks

lukejadamec · ‎02-27-2014

Yes you can. I short you use this in your search:

<your search> date_hour>9 date_hour<18

For more details you can checkout this post.

http://answers.splunk.com/answers/2219/search-command-for-work-time

linu1988 · ‎02-27-2014

date_hour<24 you wont get ever so only > 15 is enough, was out of my mind in my answer 😕

kpers · ‎02-27-2014

Thank you that did the trick, I just put in:
"eventidentifier=4800" date_hour>15 date_hour<24
and I got the results I was looking for!

somesoni2 · ‎02-27-2014

Even shorter

..your base search terms.. date_hour>15

Search event logs that only accrue between 4PM to 11:59PM every day

Admin Your Splunk Cloud, Your Way

Cloud Platform | Discontinuing support for TLS version 1.0 and 1.1

New Customer Testimonials