https://community.splunk.com/t5/Alerting/How-to-build-use-case-and-notification-for-badge-reader-and/m-p/607676#M14081 <P>The first steps are to ensure the access control system logs card swipes to Splunk and that logins to the domain also are logged in Splunk.</P><P>You may need to normalize the two since they may not use the same identifier.&nbsp; That can be done in the search or by adding FIELDALIAS properties to the respective sourcetypes.</P><P>Then it's just a matter of searching for domain logins that don't have a corresponding card swipe.&nbsp; This assumes there's no VPN or other means for accessing the domain without an access card.</P><P>&nbsp;</P><LI-CODE lang="markup">index=domain_logins NOT [ search index=access_control | fields user | format ]</LI-CODE><P>&nbsp;</P> Sun, 31 Jul 2022 18:25:37 GMT richgalloway 2022-07-31T18:25:37Z https://community.splunk.com/t5/Alerting/How-to-build-use-case-and-notification-for-badge-reader-and/m-p/607634#M14074 <P>Hi All,</P> <P>How can I build a use case and get notified in Splunk when a user does not swipe his/her access card at the door but is logged into the domain?</P> <P>Please help.</P> Sun, 31 Jul 2022 17:33:35 GMT https://community.splunk.com/t5/Alerting/How-to-build-use-case-and-notification-for-badge-reader-and/m-p/607634#M14074 Splunk_Master01 2022-07-31T17:33:35Z https://community.splunk.com/t5/Alerting/How-to-build-use-case-and-notification-for-badge-reader-and/m-p/607676#M14081 <P>The first steps are to ensure the access control system logs card swipes to Splunk and that logins to the domain also are logged in Splunk.</P><P>You may need to normalize the two since they may not use the same identifier.&nbsp; That can be done in the search or by adding FIELDALIAS properties to the respective sourcetypes.</P><P>Then it's just a matter of searching for domain logins that don't have a corresponding card swipe.&nbsp; This assumes there's no VPN or other means for accessing the domain without an access card.</P><P>&nbsp;</P><LI-CODE lang="markup">index=domain_logins NOT [ search index=access_control | fields user | format ]</LI-CODE><P>&nbsp;</P> Sun, 31 Jul 2022 18:25:37 GMT https://community.splunk.com/t5/Alerting/How-to-build-use-case-and-notification-for-badge-reader-and/m-p/607676#M14081 richgalloway 2022-07-31T18:25:37Z https://community.splunk.com/t5/Alerting/How-to-build-use-case-and-notification-for-badge-reader-and/m-p/608592#M14118 <P>Hi Rich,</P><P>So I've managed to combine both the indexes but now the challenge I face is that results come in two separate rows instead of one.&nbsp;</P><P>One row picks information for AD and the other picks for Access Control. I think this is arising due to naming conventions being slightly different in both indexes.</P><P>Is there a way we can tell Splunk that person Apple Banana is the same person as Apple Cabbage because "Apple" is the common thing in both indexes? And also have this result in one row instead of two?</P> Sun, 07 Aug 2022 04:23:32 GMT https://community.splunk.com/t5/Alerting/How-to-build-use-case-and-notification-for-badge-reader-and/m-p/608592#M14118 Splunk_Master01 2022-08-07T04:23:32Z https://community.splunk.com/t5/Alerting/How-to-build-use-case-and-notification-for-badge-reader-and/m-p/608594#M14119 <P>If Apple is in the same field in both indexes, you can use that field in the by clause of a stats command - if not, copy it to a common field name</P><LI-CODE lang="markup">index=index1 OR index=index2 | eval apple_field=coalesce(apple_field1, apple_field2) | stats values(*) as * by apple_field</LI-CODE> Sun, 07 Aug 2022 06:38:45 GMT https://community.splunk.com/t5/Alerting/How-to-build-use-case-and-notification-for-badge-reader-and/m-p/608594#M14119 ITWhisperer 2022-08-07T06:38:45Z