Splunk Search

Search specific time

Mike_Spellane
New Member

I am trying to setup a scheduled search that runs every morning and looks for users logged on between 2200 the previous day and 0200 of the current day (basically, I am looking for users that don't logoff their workstations at the end of the day). Is there a method to perform this so that it runs everyday and query the previous 2200 - 0200?

Tags (2)
0 Karma

gkanapathy
Splunk Employee
Splunk Employee

In 4.1+, you can specify concatenated time ranges:

  • earliest: either @d-2h or -1d@d+22h
  • latest: @d+2h

and it will get those times regardless of when in the day your search runs. In 4.0, use Simeon's solution, which will depend on the scheduled run time of your search. There might some some other tricks using combinations of the date_hour field (date_hour>=22 OR date_hour<2) plus relative time ranges that will also work in 4.0.

Simeon
Splunk Employee
Splunk Employee

You can use the time range of the scheduled search to perform this. When you save the search, there is an earliest and latest time range. Also, there is a cron formatted setting for when you want it to run. Let's assume you want to run the search at 8 am. Here is what you would configure in the saved search:

Schedule the search to use the following cron formatted timing (8 am daily):

0 8 * * *

Use the following start time (10 hours ago, on the hour):

-10h@h

Use the following finish time (6 hours ago, on the hour):

-6h@h

Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...