Hello all,
I have a query that I have scheduled to run twice as a report: once for last week (Sunday to Sunday) and once for the week prior (also Sunday to Sunday).
The query looks for Logins, and then lists the number of unique computers by the user who logged into them and the type of authentication that was used.
I need to compare these two reports - preferably with a third one, that way I can schedule them all after hours. When they are compared, I need it to show:
1. usernames that show up on one report but not the other **and**
2. usernames that logged into a different number of hosts than in the other report -- like if a user logs into 20 hosts one week and 50 the next - I need the difference. It can a percentage or just the number (like 50-20=30).
Here is the query I'm currently running:
sourcetype="Login"
| eventstats dc(host) as distinct_hosts by UserName, Event, Authentication
| where distinct_hosts >= 2
| dedup host, UserName, Authentication
| stats dc(Computer) by UserName, Event, Authentication
It doesn't much matter how it gets done within Spunk, it just needs to be schedule-able. I've looked around a bunch but haven't found anything that addresses this and this is beyond my Splunk knowledge level.
Thanks in advance for any help!
↧