Hi, I wonder whether someone may be able to help me please.
Firstly I will admit that I don't find writing join queries easy, but I'm certainly learning as I write more.
I've put together the following query which lists all user accounts and when they were created:
index=_audit action=edit_user operation=edit OR operation=create
|rename object as user
|eval timestamp=strptime(timestamp, "%m-%d-%Y %H:%M:%S.%3N")
|convert timeformat="%d/%b/%Y" ctime(timestamp)
|stats max(timestamp) as "created" by user
|join user [|rest /services/authentication/users splunk_server=local
|fields title
|rename title as user]
The query works fine, although a little slow.
But I'm now trying to adapt this by adding the last time the user logged onto the account which I have the following query for:
search index=_audit action="login attempt"
| stats max(timestamp) as _time by user, sourcetype ]
| where isnull(sourcetype)
| fields - sourcetype
The problem I have is that I'm not sure how to add a third subsearch and the order in which this will run in conjunction with the other two.
What I'm trying to achieve is:
- All user accounts,
- Then against each account the date they were created, then
- The last login date for each user.
I just wondered whether someone could possibly look at this please and offer some guidance on how I may go about achieving this.
Many thanks and kind regards
Chris
**UPDATE**
I have tried the query kindly provided by Chimell and that I came up with myself, and unfortunately this adds inserts false dates.
I have then tried the following:
index=_audit action=edit_user operation=edit OR operation=create
|rename object as user
|stats max(timestamp) as "created" by user
|join user [|rest /services/authentication/users splunk_server=local
|fields title
|rename title as user]
|join user type=outer[search index=_audit action="login attempt"
|stats max(timestamp) as "accessed" by user, sourcetype]
|fields - sourcetype
|where created !=""
But the problem I have with this is that there are some records which are null in the "accessed" column, but when I've looked at the raw data, there should be a date shown in this column.
↧