Re: Search specific time

Mike_Spellane · ‎05-27-2010

I am trying to setup a scheduled search that runs every morning and looks for users logged on between 2200 the previous day and 0200 of the current day (basically, I am looking for users that don't logoff their workstations at the end of the day). Is there a method to perform this so that it runs everyday and query the previous 2200 - 0200?

gkanapathy · ‎05-27-2010

In 4.1+, you can specify concatenated time ranges:

earliest: either @d-2h or -1d@d+22h
latest: @d+2h

and it will get those times regardless of when in the day your search runs. In 4.0, use Simeon's solution, which will depend on the scheduled run time of your search. There might some some other tricks using combinations of the date_hour field (date_hour>=22 OR date_hour<2) plus relative time ranges that will also work in 4.0.

Simeon · ‎05-27-2010

You can use the time range of the scheduled search to perform this. When you save the search, there is an earliest and latest time range. Also, there is a cron formatted setting for when you want it to run. Let's assume you want to run the search at 8 am. Here is what you would configure in the saved search:

Schedule the search to use the following cron formatted timing (8 am daily):

0 8 * * *

Use the following start time (10 hours ago, on the hour):

-10h@h

Use the following finish time (6 hours ago, on the hour):

-6h@h

Search specific time

Introducing the Splunk Community Dashboard Challenge!

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...