Looking to see if there is a way to search for only specific windows event logs that accrue after 4 pm up to 11:59 pm each day.
I know I can do this on a specific day but I would like to get a look at all the times a user locks their workstation that accrue around the time people leave work for the day all the way till the end of the day and see it over a weeks span or even an months span.
Hello,
Try this
index=blah EventCode=""|eval Hour=strftime(_time,"%H")|table EventCode,Message|where Hour >16 AND Hour <= 23
It's not an efficient search but will serve your purpose.
Thanks
Yes you can. I short you use this in your search:
<your search> date_hour>9 date_hour<18
For more details you can checkout this post.
http://answers.splunk.com/answers/2219/search-command-for-work-time
date_hour<24 you wont get ever so only > 15 is enough, was out of my mind in my answer 😕
Thank you that did the trick, I just put in:
"eventidentifier=4800" date_hour>15 date_hour<24
and I got the results I was looking for!
Even shorter
..your base search terms.. date_hour>15