Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Search weekday during time, and include all weekend days

Cmiddleton-oppd
Explorer
‎06-17-2024 01:35 PM

Hello, 
my current search is 

index=winsec source=WinEventLog:Security EventCode=6272 
| eval date_hour = strftime(_time, "%H")
| where date_hour >= 19 OR date_hour <=06
| timechart count(src_user)


This provides me with a graph of logins made after hours. I want to expand the acceptable items to include the entire days of saturday/sunday as well. When I attempt to add this, i get "no results" what would be the best way to include that? 

Labels (2)
Labels
Tags (3)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎06-17-2024 02:02 PM

Extract and test for the day of the week similar to how date_hour was done.

index=winsec source=WinEventLog:Security EventCode=6272 
| eval date_hour = strftime(_time, "%H"), date_wday = strftime(_time, "%A")
| where date_hour >= 19 OR date_hour <=06 OR date_wday = "Saturday" OR date_wday = "Sunday"
| timechart count(src_user)
---
If this reply helps you, Karma would be appreciated.

View solution in original post

Reply
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎06-17-2024 02:02 PM

Extract and test for the day of the week similar to how date_hour was done.

index=winsec source=WinEventLog:Security EventCode=6272 
| eval date_hour = strftime(_time, "%H"), date_wday = strftime(_time, "%A")
| where date_hour >= 19 OR date_hour <=06 OR date_wday = "Saturday" OR date_wday = "Sunday"
| timechart count(src_user)
---
If this reply helps you, Karma would be appreciated.
Reply
Solved! Jump to solution

Cmiddleton-oppd
Explorer
‎06-18-2024 06:16 AM

I think this would work perfectly, but the system does not appear to have date_wday enabled. Using this term always provides me with " no results" 

0 Karma
Reply
Solved! Jump to solution

glc_slash_it
Path Finder
‎06-18-2024 07:07 AM

The date_wday is being created with the eval command on the second line...

I'll break it down for you.

| eval date_hour = strftime(_time, "%H")
| eval date_wday = strftime(_time, "%A")

 

Reply
Solved! Jump to solution

Cmiddleton-oppd
Explorer
‎06-18-2024 07:17 AM

You're right! my mistake, I didn't read the entire query.

Thanks for pointing out my mistake!

Reply
Get Updates on the Splunk Community!

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

It’s Monday morning, and your phone is buzzing with alert escalations – your customer-facing portal is running ...

What’s New in Splunk Observability – September 2025

What's NewWe are excited to announce the latest enhancements to Splunk Observability, designed to help ITOps ...

Fun with Regular Expression - multiples of nine

Fun with Regular Expression - multiples of nineThis challenge was first posted on Slack #regex channel ...