Splunk Search

Time-based exclusion on a search

mhale1982
Path Finder

Is it possible, and if so, how would I, filter specific terms but only for a certain time range within a broader search?

For example, say I’m retrieving all failed logons for the last 24 hours like this:

index=myindex logonmessage=FAILED

Now, let’s say there’s a certain account that always fails to logon between 0200 and 0300 every day called bob. We’ve investigated these and worked with the team responsible for the application, and these failures are expected and unchangeable due to some architectural considerations.

How do I modify my search to basically say:

NOT (username=bob AND timestamp > 0200 AND timestamp < 0300)

Is that possible?

Thank you all!

Tags (1)
0 Karma

burwell
SplunkTrust
SplunkTrust

Hello. If the errors are only in that one hour, how about something like this. Splunk automatically gives you the date_hour field.

index=myindex  logonmessage=FAILED  date_hour!=2  username!=bob

Be sure to read the difference between != versus NOT in the Splunk docs
https://docs.splunk.com/Documentation/Splunk/7.2.4/Search/NOTexpressions

i) username!=bob (implies there is a username field in the data and doesn't match bob)
ii) NOT username=bob . .. if the event doesn't have any field with username in it, it will be returned

0 Karma
Get Updates on the Splunk Community!

See just what you’ve been missing | Observability tracks at Splunk University

Looking to sharpen your observability skills so you can better understand how to collect and analyze data from ...

Weezer at .conf25? Say it ain’t so!

Hello Splunkers, The countdown to .conf25 is on-and we've just turned up the volume! We're thrilled to ...

How SC4S Makes Suricata Logs Ingestion Simple

Network security monitoring has become increasingly critical for organizations of all sizes. Splunk has ...