I have a search that tracks VPN logins for known/unknown users that works fine. I am trying to filter for only logins during a specific time which for me is 11pm to 5am for whatever specified date range I give (prior day, week, month, or specific date to date). The current search I am using gives me all logins over the specific date range I choose. I am trying to come up with a search for instance for VPN logins during 11pm - 5am on any date between August 12 - 19. My current search is:
tag=vpn |eval legal_time=if(date_hour < 5 AND date_hour > 22,"No","Yes") |sort user _time | table user _time vendor_action legal_time | top limit=1000 vendor_action
↧
