topic Re: How to get list of users with user account created date and email associated to it? in Splunk Search

How to get list of users with user account created date and email associated to it?

testnoob — Tue, 22 Mar 2022 19:59:26 GMT

Hi All ,

The requirement is to get all usernames , username created date and email associated to it as below

username username_created_date email_associated

testnoob 03/22/2022 testnoob@xxyy.com

how can i achieve this ? can you please help me

Re: How to get list of users with user account created date and email associated to it?

richgalloway — Tue, 22 Mar 2022 21:07:55 GMT

Start with this REST command then add to the SPL as necessary to get the desired results.

| rest /servicesNS/-/-/admin/users

Re: How to get list of users with user account created date and email associated to it?

testnoob — Thu, 24 Mar 2022 16:49:08 GMT

index=_audit action=edit_user operation=create
|rename object as user
|eval timestamp=strptime(timestamp, "%m-%d-%Y %H:%M:%S.%3N")
|convert timeformat="%d/%b/%Y" ctime(timestamp)
|table user timestamp

If i use above query i get only part of the users ( 17 users ) with username and account created date , but not whole list of users ( 400 users) with username and account created date.

Is there any restriction in splunk , why is it only pulling part of the users list and not complete ?

Re: How to get list of users with user account created date and email associated to it?

testnoob — Thu, 24 Mar 2022 16:59:32 GMT

| rest /servicesNS/-/-/admin/users

this does not give account created date , just the updated date to the account

Re: How to get list of users with user account created date and email associated to it?

richgalloway — Thu, 24 Mar 2022 19:29:39 GMT

That query will only show recently-created accounts - those created during the retention period of the audit index.

To keep those events longer, consider writing them to a summary index with a longer retention period.

Re: How to get list of users with user account created date and email associated to it?

richgalloway — Fri, 25 Mar 2022 00:10:23 GMT

I'm pretty sure Splunk does not store the creation time of an account other than what's in the audit index. Don't trust the updated time, either, as I've seen it be wrong (zero) almost all the time.