Hi @woodcock  still with all my tries the result is just showing night in shift column can you please test or check is there any logic wrongly defined in my query for attendance as I copy it from siem admin dashboard and just wanted to add correct shift in that query    ... View more

    | makeresults | eval user="Day",All_Attempts=10,src="src1",Started=now()-(24*60*60),Ended=now(),start_time=Started,end_time=Ended,totall_duration=end_time-start_time     above code is rejected by splunk so i omitted it  this is generating error i made the following changes and its showing all  last 24 results in night shifts  below code is only generating night shift for all last 24 hours which is i am getting through another code as well     index=it sourcetype=pulse:connectsecure vendor_product="Pulse Connect Secure" realm=Domain+DUO1001 earliest=-16h | iplocation src | eval Attempts= if(vendor_action="started","Session_Started","Session_Ended") | stats values(Attempts) AS All_Attempts values(src) AS src count(eval(Attempts="Session_Started")) AS Started count(eval(Attempts="Session_Ended")) AS Ended min(_time) AS start_time max(_time) AS end_time by user | eval Duration=end_time-start_time | search user=username-l2 OR user=username-l1 OR user=username1 OR user=username2 OR user=username3 OR user=username4 | convert ctime(start_time) | convert ctime(end_time) | eval totall_duration=tostring(Duration,"duration") | table user,All_Attempts,src,Started,Ended,start_time,end_time,totall_duration | eval HOUR_E2=strftime(start_time, "%H") | eval shift=case( HOUR_E2<7,"Night Shift", HOUR_E2<15,"Morning Shift", HOUR_E2<23,"Evening Shift", true(),"Night Shift") | fields - HOUR_E2     Second code that I tried give me the same night shift result only   index=it sourcetype=pulse:connectsecure vendor_product="Pulse Connect Secure" realm=Domain+DUO1001 earliest=-24h | iplocation src | eval Attempts= if(vendor_action="started","Session_Started","Session_Ended") | stats values(Attempts) AS All_Attempts values(src) AS src count(eval(Attempts="Session_Started")) AS Started count(eval(Attempts="Session_Ended")) AS Ended min(_time) AS start_time max(_time) AS end_time by user | eval Duration=end_time-start_time | search user=username-l2 OR user=username-l1 OR user=username1 OR user=username2 OR user=username3 OR user=username4 | convert ctime(start_time) | convert ctime(end_time)|eval iHour=strftime(strptime(TIMESTAMP,"%Y-%m-%d %H:%M:%S"),"%H") |eval iDay=strftime(strptime(TIMESTAMP,"%Y-%m-%d %H:%M:%S"),"%Y-%m-%d") |eval iDay=round(strptime(iDay,"%Y-%m-%d"),0) |eval shiftstart=if(start_time >= 7 AND start_time < 15,"Morning",if(start_time >= 15 AND start_time < 23,"Evening ","Night")) |eval shiftend=if(end_time >= 7 AND end_time < 15,"Morning",if(end_time >= 15 AND end_time < 23,"Evening ","Night")) | eval total_duration=tostring(Duration,"duration") | table user,shiftstart,shiftend,All_Attempts,src,Started,Ended,start_time,end_time,total_duration ... View more

@woodcock  Thank you so much for your kind reply  I am trying to run this on Pulse Secure integrated log which has two columns only session started and ended   is it possible if you can append the code which is generating the attendance with added shift calculation time range (session started and session ended ) a full query ?   looking forward   ... View more