Re: Search specific time

Mike_Spellane · ‎05-27-2010

I am trying to setup a scheduled search that runs every morning and looks for users logged on between 2200 the previous day and 0200 of the current day (basically, I am looking for users that don't logoff their workstations at the end of the day). Is there a method to perform this so that it runs everyday and query the previous 2200 - 0200?

gkanapathy · ‎05-27-2010

In 4.1+, you can specify concatenated time ranges:

earliest: either @d-2h or -1d@d+22h
latest: @d+2h

and it will get those times regardless of when in the day your search runs. In 4.0, use Simeon's solution, which will depend on the scheduled run time of your search. There might some some other tricks using combinations of the date_hour field (date_hour>=22 OR date_hour<2) plus relative time ranges that will also work in 4.0.

Simeon · ‎05-27-2010

You can use the time range of the scheduled search to perform this. When you save the search, there is an earliest and latest time range. Also, there is a cron formatted setting for when you want it to run. Let's assume you want to run the search at 8 am. Here is what you would configure in the saved search:

Schedule the search to use the following cron formatted timing (8 am daily):

0 8 * * *

Use the following start time (10 hours ago, on the hour):

-10h@h

Use the following finish time (6 hours ago, on the hour):

-6h@h

Search specific time

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Quantify Your Splunk Investment Impact: Introducing Savings Metrics to Value Insights

Event Series: Telemetry Pipeline Management

Kick the Tires Before You Commit: A Hands-On Tour of the Splunk Observability Cloud ...

Join the Conversation