Splunk Search

Search specific time

New Member

I am trying to setup a scheduled search that runs every morning and looks for users logged on between 2200 the previous day and 0200 of the current day (basically, I am looking for users that don't logoff their workstations at the end of the day). Is there a method to perform this so that it runs everyday and query the previous 2200 - 0200?

Tags (2)
0 Karma

Splunk Employee
Splunk Employee

In 4.1+, you can specify concatenated time ranges:

  • earliest: either @d-2h or -1d@d+22h
  • latest: @d+2h

and it will get those times regardless of when in the day your search runs. In 4.0, use Simeon's solution, which will depend on the scheduled run time of your search. There might some some other tricks using combinations of the date_hour field (date_hour>=22 OR date_hour<2) plus relative time ranges that will also work in 4.0.

Splunk Employee
Splunk Employee

You can use the time range of the scheduled search to perform this. When you save the search, there is an earliest and latest time range. Also, there is a cron formatted setting for when you want it to run. Let's assume you want to run the search at 8 am. Here is what you would configure in the saved search:

Schedule the search to use the following cron formatted timing (8 am daily):

0 8 * * *

Use the following start time (10 hours ago, on the hour):

-10h@h

Use the following finish time (6 hours ago, on the hour):

-6h@h

State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!