https://community.splunk.com/t5/Splunk-Search/Display-days-passed-between-current-time-and-most-recent/m-p/571250#M199053 <P><SPAN><SPAN>The answer to this probably stupid simple. Banging my head on this.</SPAN></SPAN></P><DIV><SPAN><SPAN>Help and patience please.</SPAN></SPAN><DIV>&nbsp;<DIV><SPAN><SPAN>I am writing a query which audits user role activations.</SPAN></SPAN><P><SPAN>A user can have many roles, i.e. Network Admin, Security Reader, User Admin, Storage Operator, etc.</SPAN></P><DIV><SPAN><SPAN>Specifically, I want to view how many days has passed since a user activated a specific role.</SPAN></SPAN><DIV>&nbsp;<DIV><SPAN><SPAN>Today - Last Activation = Days Since Last Activation</SPAN></SPAN><P>&nbsp;</P><DIV><SPAN><SPAN>Questions:</SPAN></SPAN><OL><LI><SPAN>How can I most efficiently&nbsp;subtract the time of the most recent role activation event from the current time?</SPAN></LI><LI><SPAN>How can I then only show the most recent results?</SPAN></LI><LI><SPAN><SPAN>How to then audit all users who have not activated a role in the past 30 days?</SPAN></SPAN></LI></OL><P>&nbsp;</P><DIV><SPAN><SPAN>Base query for a single user search over 30 days and sample results are below.</SPAN></SPAN><P>&nbsp;</P><PRE>&nbsp;index=audit user=bob@example.com <BR />| eval days = round((now() - _time)/86400) <BR />| table Role, user, _time, days <BR />| sort - days</PRE><P>Sample Data Below</P><TABLE width="606"><TBODY><TR><TD width="172">Role</TD><TD width="201">UserName</TD><TD width="198">_time</TD><TD width="35">days</TD></TR><TR><TD>Global Reader</TD><TD><A href="mailto:zzdavid.reiling@tollgroup.com" target="_blank" rel="noopener">bob@example.com</A></TD><TD>2021-09-19T08:35:06.998</TD><TD>29</TD></TR><TR><TD>Global Reader</TD><TD>bob@example.com</TD><TD>2021-09-19T08:35:05.514</TD><TD>29</TD></TR><TR><TD>Systems Administrator</TD><TD>bob@example.com</TD><TD>2021-09-23T05:55:51.177</TD><TD>25</TD></TR><TR><TD>Systems Administrator</TD><TD>bob@example.com</TD><TD>2021-09-23T05:55:49.036</TD><TD>25</TD></TR><TR><TD>Global Reader</TD><TD>bob@example.com</TD><TD>2021-09-24T00:48:20.254</TD><TD>24</TD></TR><TR><TD>Storage Operator</TD><TD>bob@example.com</TD><TD>2021-09-24T00:48:18.942</TD><TD>24</TD></TR><TR><TD>Systems Administrator</TD><TD>bob@example.com</TD><TD>2021-09-27T07:22:23.971</TD><TD>21</TD></TR><TR><TD>Systems Administrator</TD><TD>bob@example.com</TD><TD>2021-09-27T07:22:22.971</TD><TD>21</TD></TR><TR><TD>Global Reader</TD><TD>bob@example.com</TD><TD>2021-09-27T07:19:40.569</TD><TD>21</TD></TR><TR><TD>Global Reader</TD><TD>bob@example.com</TD><TD>2021-09-27T07:19:39.460</TD><TD>21</TD></TR></TBODY></TABLE><P>&nbsp;</P><P>Desired results only show the most recent events&nbsp;</P><TABLE width="606"><TBODY><TR><TD width="172">Role</TD><TD width="201">UserName</TD><TD width="198">_time</TD><TD width="35">days</TD></TR><TR><TD>Global Reader</TD><TD>bob@example.com</TD><TD>2021-09-24T00:48:20.254</TD><TD>24</TD></TR><TR><TD>Storage Operator</TD><TD>bob@example.com</TD><TD>2021-09-24T00:48:18.942</TD><TD>24</TD></TR><TR><TD>Systems Administrator</TD><TD>bob@example.com</TD><TD>2021-09-27T07:22:22.971</TD><TD>21</TD></TR><TR><TD>Global Reader</TD><TD>bob@example.com</TD><TD>2021-09-27T07:19:39.460</TD><TD>21</TD></TR></TBODY></TABLE></DIV></DIV></DIV></DIV></DIV></DIV></DIV></DIV> Mon, 18 Oct 2021 06:04:09 GMT dmbr 2021-10-18T06:04:09Z https://community.splunk.com/t5/Splunk-Search/Display-days-passed-between-current-time-and-most-recent/m-p/571250#M199053 <P><SPAN><SPAN>The answer to this probably stupid simple. Banging my head on this.</SPAN></SPAN></P><DIV><SPAN><SPAN>Help and patience please.</SPAN></SPAN><DIV>&nbsp;<DIV><SPAN><SPAN>I am writing a query which audits user role activations.</SPAN></SPAN><P><SPAN>A user can have many roles, i.e. Network Admin, Security Reader, User Admin, Storage Operator, etc.</SPAN></P><DIV><SPAN><SPAN>Specifically, I want to view how many days has passed since a user activated a specific role.</SPAN></SPAN><DIV>&nbsp;<DIV><SPAN><SPAN>Today - Last Activation = Days Since Last Activation</SPAN></SPAN><P>&nbsp;</P><DIV><SPAN><SPAN>Questions:</SPAN></SPAN><OL><LI><SPAN>How can I most efficiently&nbsp;subtract the time of the most recent role activation event from the current time?</SPAN></LI><LI><SPAN>How can I then only show the most recent results?</SPAN></LI><LI><SPAN><SPAN>How to then audit all users who have not activated a role in the past 30 days?</SPAN></SPAN></LI></OL><P>&nbsp;</P><DIV><SPAN><SPAN>Base query for a single user search over 30 days and sample results are below.</SPAN></SPAN><P>&nbsp;</P><PRE>&nbsp;index=audit user=bob@example.com <BR />| eval days = round((now() - _time)/86400) <BR />| table Role, user, _time, days <BR />| sort - days</PRE><P>Sample Data Below</P><TABLE width="606"><TBODY><TR><TD width="172">Role</TD><TD width="201">UserName</TD><TD width="198">_time</TD><TD width="35">days</TD></TR><TR><TD>Global Reader</TD><TD><A href="mailto:zzdavid.reiling@tollgroup.com" target="_blank" rel="noopener">bob@example.com</A></TD><TD>2021-09-19T08:35:06.998</TD><TD>29</TD></TR><TR><TD>Global Reader</TD><TD>bob@example.com</TD><TD>2021-09-19T08:35:05.514</TD><TD>29</TD></TR><TR><TD>Systems Administrator</TD><TD>bob@example.com</TD><TD>2021-09-23T05:55:51.177</TD><TD>25</TD></TR><TR><TD>Systems Administrator</TD><TD>bob@example.com</TD><TD>2021-09-23T05:55:49.036</TD><TD>25</TD></TR><TR><TD>Global Reader</TD><TD>bob@example.com</TD><TD>2021-09-24T00:48:20.254</TD><TD>24</TD></TR><TR><TD>Storage Operator</TD><TD>bob@example.com</TD><TD>2021-09-24T00:48:18.942</TD><TD>24</TD></TR><TR><TD>Systems Administrator</TD><TD>bob@example.com</TD><TD>2021-09-27T07:22:23.971</TD><TD>21</TD></TR><TR><TD>Systems Administrator</TD><TD>bob@example.com</TD><TD>2021-09-27T07:22:22.971</TD><TD>21</TD></TR><TR><TD>Global Reader</TD><TD>bob@example.com</TD><TD>2021-09-27T07:19:40.569</TD><TD>21</TD></TR><TR><TD>Global Reader</TD><TD>bob@example.com</TD><TD>2021-09-27T07:19:39.460</TD><TD>21</TD></TR></TBODY></TABLE><P>&nbsp;</P><P>Desired results only show the most recent events&nbsp;</P><TABLE width="606"><TBODY><TR><TD width="172">Role</TD><TD width="201">UserName</TD><TD width="198">_time</TD><TD width="35">days</TD></TR><TR><TD>Global Reader</TD><TD>bob@example.com</TD><TD>2021-09-24T00:48:20.254</TD><TD>24</TD></TR><TR><TD>Storage Operator</TD><TD>bob@example.com</TD><TD>2021-09-24T00:48:18.942</TD><TD>24</TD></TR><TR><TD>Systems Administrator</TD><TD>bob@example.com</TD><TD>2021-09-27T07:22:22.971</TD><TD>21</TD></TR><TR><TD>Global Reader</TD><TD>bob@example.com</TD><TD>2021-09-27T07:19:39.460</TD><TD>21</TD></TR></TBODY></TABLE></DIV></DIV></DIV></DIV></DIV></DIV></DIV></DIV> Mon, 18 Oct 2021 06:04:09 GMT https://community.splunk.com/t5/Splunk-Search/Display-days-passed-between-current-time-and-most-recent/m-p/571250#M199053 dmbr 2021-10-18T06:04:09Z https://community.splunk.com/t5/Splunk-Search/Display-days-passed-between-current-time-and-most-recent/m-p/571272#M199058 <LI-CODE lang="markup">index=audit user=bob@example.com | stats latest(_time) as _time by user, Role | eval days = round((now() - _time)/86400) | table Role, user, _time, days | sort - days</LI-CODE> Mon, 18 Oct 2021 07:51:05 GMT https://community.splunk.com/t5/Splunk-Search/Display-days-passed-between-current-time-and-most-recent/m-p/571272#M199058 ITWhisperer 2021-10-18T07:51:05Z https://community.splunk.com/t5/Splunk-Search/Display-days-passed-between-current-time-and-most-recent/m-p/571293#M199068 <P>Sincere Thank you&nbsp;<SPAN>ITWhisperer for the reply,&nbsp;much appreciated.</SPAN></P><P><SPAN>As expected, the solution was much stupid simple.&nbsp;<span class="lia-unicode-emoji" title=":face_with_tears_of_joy:">😂</span></SPAN></P> Mon, 18 Oct 2021 10:00:26 GMT https://community.splunk.com/t5/Splunk-Search/Display-days-passed-between-current-time-and-most-recent/m-p/571293#M199068 dmbr 2021-10-18T10:00:26Z