Hi, I wonder whether someone may be able to help me please.
I'm trying to perform the following:
1. For every user account set up,
2. Check to see whether they have logged on in the last 12 months,
3. In addition add the date on each user row when the account was created/amended.
I have set the first query which searches for all user accounts:
|rest /services/authentication/users splunk_server=local
|fields title
|rename title as user
I have then set the second query which highlights the accounts where the user hasn't logged on within the last 12 months:
index=_audit action="login attempt" earliest=-12mon
|eval timestamp=strptime(timestamp, "%m-%d-%Y %H:%M:%S.%3N")
|convert timeformat="%d/%b/%Y" ctime(timestamp)
|stats max(timestamp) as "Last Date Account Accessed" by user
I have then set up my third query which extracts when the users account was created or amended.
index=_audit action=edit_user operation=edit earliest=0
|rename object as user
|eval timestamp=strptime(timestamp, "%m-%d-%Y %H:%M:%S.%3N")
|convert timeformat="%d/%b/%Y" ctime(timestamp)
|stats min(timestamp) as "Date Account Created" by user
I have then joined them together:
|rest /services/authentication/users splunk_server=local
|fields title
|rename title as user
| join user type=left [
| search index=_audit action="login attempt" earliest=-12mon
| stats max(timestamp) as _time by user, sourcetype
]
| where isnull(sourcetype)
| fields - sourcetype
|join user type=outer [
search index=_audit action=edit_user operation=edit earliest=0
|rename object as user
|eval timestamp=strptime(timestamp, "%m-%d-%Y %H:%M:%S.%3N")
|convert timeformat="%d/%b/%Y" ctime(timestamp)
|stats min(timestamp) as "created" by user
]
**NB**. I have set the earliest time to zero to capture this information from the beginning of time.
The problem I have is that it doesn't insert a date of account created against all the names only some, and this seems to be because it is using the 'timepicker' date in the search panel rather than the hardcoded date.
I'm not sure whether my logic is correct, so I'd like if at all possible please for someone with a 'fresh pair of eyes' to look at this please and check my logic and if possible please suggest perhaps a more efficient way of writing this, if indeed there is one.
Many thanks and kind regards
Chris
↧