Hi, I wonder whether someone may be able to help me please for which may seem a really dumb question.
I'm using the query below to extract user accounts with a creation date which returns 430 records.
| rest /services/authentication/users splunk_server=local
| fields title
| rename title as user
| join user [search index=_audit action=edit_user operation=create
| rename object as user
| stats list(timestamp) as "created" by user]
The problem I have is that I should have a list of 440 which I then want to add the date against.
Could someone tell me please why I'm not able to create the full list.
I do know that some of the accounts don't have "operation=create" value in the raw data but rather "operation=edit", but either way I would have thought the full list should be created and then if the subsearch doesn't match then the date entry will be blank.
Many thanks and kind regards
Chris
↧