I apologize in advance as I'm new to Splunk searching... I currently have a basic search for my dashboard that returns newly created user accounts; index=wineventlog EventCode=4720| table _time Display_Name | sort generated_time What I would like to do is enhance this with a new column to show me accounts created outside of normal business hours. index=wineventlog EventCode=4720| table _time Display_Name | eval _time=if(_time(earliest="*/*/*:08:00:00" latest="*/*/*:17:00:00"), Normal, Abnormal) I'm sure I'm completely screwing up this "IF" statement and evaluating the time window doesn't help it, so I'd appreciate any advice anyone has. Thanks!! ... View more