topic Re: Account status -> bypassed, is it enabled? in Splunk Search

Account status -> bypassed, is it enabled?

jbanAtSplunk — Thu, 14 Oct 2021 09:37:06 GMT

Hi,

We have status in one log type, where we would like to track if account is in state: bypassed

Example:

2021-13-10 user1 bypassed

2021-13-10 user2 enabled

2021-13-09 user2 bypassed
2021-13-08 user3 bypassed

2021-13-08 user3 active
2021-13-08 user3 bypassed
2021-13-07 user3 active

how can we find last 2 status for user in period of time and than based on last bypass/active status we get only accounts that have still active bypass status?

Re: Account status -> bypassed, is it enabled?

richgalloway — Thu, 14 Oct 2021 13:02:31 GMT

To get the last 2 statuses for a user, use dedup 2.

... | dedup 2 user ...

To get the current status, use dedup.

... | dedup user | where status="bypassed"

Re: Account status -> bypassed, is it enabled?

jbanAtSplunk — Thu, 14 Oct 2021 13:09:23 GMT

Hey,

I think I solve this with this query using eventstats dc (this is giving me last two condition) where I can then see if the last status is Bypass.
example: