I want to tracking login and logout users on computers with timebased lookup.
I have logon and logoff time for example in timebased-lookup;
_time,user,host,type
09:00AM, someuser1, ComptuerA,logon
10:00AM, someuser1, ComputerA,logoff
10:00PM, otheruser2, ComptuerA,logon
11:00PMi otheruser2, ComputerA,logoff
and if I do another search with just the account name ı want to see logged user in a timerange.
The other raw log is;
09:00AM host=ComptuerA type=infection file=malware.exe
for example ;
11:00AM host=ComputerA type=scanning
11:34PM host=ComputerA type=cleaning
How do I add username someuser1 only to events between 9 o'clock and 10 o'clock on computerA with timebased-lookup?
Thank you for helping.
doc with example for timebased lookup.
https://docs.splunk.com/Documentation/Splunk/8.0.6/Knowledge/Configureatime-boundedlookup