Hi, I wonder whether someone may be able to help me please.
I'm using the query below to extract the date when Splunk user accounts have been created:
index=_audit action=edit_user operation=create
|rename object as user
|eval timestamp=strptime(timestamp, "%m-%d-%Y %H:%M:%S.%3N")
|convert timeformat="%d/%b/%Y" ctime(timestamp)
|table user timestamp
I'm then using the query below to extract a list of all user accounts:
|rest /services/authentication/users splunk_server=local
|fields realname
|rename realname as user
|table user
What I'd like to do is display a list of all user accounts and if they have been created within a chosen time range the date by the side of them.
So I've then tried to combine the two using the query below:
index=_audit action=edit_user operation=create
|fields object
|rename object as user
|eval timestamp=strptime(timestamp, "%m-%d-%Y %H:%M:%S.%3N")
|convert timeformat="%d/%b/%Y" ctime(timestamp)
|join user[search |rest /services/authentication/users splunk_server=local
|fields realname
|rename realname as user
|table user]
|table user timestamp
The problem I have is that when I run this I receive the following error:
> Error in 'rest' command: This command> must be the first command of a search.
I just wondered whether someone may be able to look at this please and let me know how I can get around this.
Many thanks and kind regards
Chris
↧