https://community.splunk.com/t5/Getting-Data-In/Create-alert-to-show-possible-shared-passwords/m-p/413150#M73084 <P>Need to create a query to be able to pull data and show when someone has either swiped in from key card reader, logged into the network, or signed on via VPN. From there i would like to setup an alert.</P> <P>Ex. A user has logged onto the network, but did not swipe in the card reader and did not log in via VPN. <BR /> Ex. A user has swiped into the building via the card reader and is also logged in via VPN, but did not log into the network. </P> Tue, 11 Jun 2019 19:46:45 GMT dmws 2019-06-11T19:46:45Z https://community.splunk.com/t5/Getting-Data-In/Create-alert-to-show-possible-shared-passwords/m-p/413150#M73084 <P>Need to create a query to be able to pull data and show when someone has either swiped in from key card reader, logged into the network, or signed on via VPN. From there i would like to setup an alert.</P> <P>Ex. A user has logged onto the network, but did not swipe in the card reader and did not log in via VPN. <BR /> Ex. A user has swiped into the building via the card reader and is also logged in via VPN, but did not log into the network. </P> Tue, 11 Jun 2019 19:46:45 GMT https://community.splunk.com/t5/Getting-Data-In/Create-alert-to-show-possible-shared-passwords/m-p/413150#M73084 dmws 2019-06-11T19:46:45Z https://community.splunk.com/t5/Getting-Data-In/Create-alert-to-show-possible-shared-passwords/m-p/413151#M73085 <P>Are you ingesting your card reader, VPN, and network logon events in Splunk?</P> Tue, 11 Jun 2019 19:52:59 GMT https://community.splunk.com/t5/Getting-Data-In/Create-alert-to-show-possible-shared-passwords/m-p/413151#M73085 richgalloway 2019-06-11T19:52:59Z https://community.splunk.com/t5/Getting-Data-In/Create-alert-to-show-possible-shared-passwords/m-p/413152#M73086 <P>Yes, there is an index ingesting data for all three. The struggle is getting the join query to pull back the needed data or correct amount. See below query for example:</P> <P>index=(network logon) <BR /> | table user, source <BR /> | join type=inner user <BR /> [ search index=active directory <BR /> | table user, department ] <BR /> | join type=left user <BR /> [ search index=(vpn) <BR /> | table user ] <BR /> | join type=left user <BR /> [ search index=(key card)<BR /> | table user, LNAME, FNAME, LOCATION]<BR /><BR /> | where department!= " "</P> Tue, 11 Jun 2019 19:59:46 GMT https://community.splunk.com/t5/Getting-Data-In/Create-alert-to-show-possible-shared-passwords/m-p/413152#M73086 dmws 2019-06-11T19:59:46Z https://community.splunk.com/t5/Getting-Data-In/Create-alert-to-show-possible-shared-passwords/m-p/413153#M73087 <P>You have a query. How is it failing? What do you want that it is not providing?</P> Wed, 12 Jun 2019 12:41:16 GMT https://community.splunk.com/t5/Getting-Data-In/Create-alert-to-show-possible-shared-passwords/m-p/413153#M73087 richgalloway 2019-06-12T12:41:16Z