topic Re: Display deleted events between 2 scheduled searches in Splunk Search

Display deleted events between 2 scheduled searches

saurabhkunte — Fri, 02 May 2014 15:27:04 GMT

Hi All,

Hoping you can help me out here.

I have a ps input indexing daily AD computer objects to Splunk. The scripted input is set to execute daily. Output is in the following manner :

2014/04/29 11:46:39 ServerName="am-dc02" ADSPath="CN=am-dc02,OU=Domain Controllers,DC=ads,DC=contoso,DC=com" Created="04/28/2014 12:34:36"
2014/04/29 11:46:39 ServerName="am-dc01" ADSPath="CN=am-dc01,OU=Domain Controllers,DC=ads,DC=contoso,DC=com" Created="04/28/2014 12:34:01"

I am having difficulties displaying AD Computer objects that got deleted in the last 1 day, last 7 days and last 30 days period.
For eg if the search that ran yesterday indexed 2 AD computer objects and the next run of the scripted input indexed only 1 AD computer obj :
2014/04/29 11:46:39 ServerName="am-dc01" ADSPath="CN=am-dc01,OU=Domain Controllers,DC=ads,DC=contoso,DC=com" Created="04/28/2014 12:34:01"

How do I list the AD computer object that got deleted when the scripted input ran today ? As I am not including isDeleted AD object property, I have to rely on the time stamp that is written at the start of each event in the output. This is the logic i am using while building the search.

I search for current time - 1 day and get the results displayed. Then I make a sub search for displaying the results of the current day. Then I am using the diff command to get the results. however that does not work at all. Can somebody please help me ? THank you.

Re: Display deleted events between 2 scheduled searches

lguinn2 — Fri, 02 May 2014 16:37:15 GMT

Couldn't you do this? The following example is for a single day.

yoursearchhere earliest=-1d@d
| stats count by ServerName
| where count < 2

For an arbitrary number of days, this might be better:

yoursearchhere
| stats count range(_time) as range earliest(_time) as firstSeenOn latest(_time) as lastSeenOn by ServerName
| eval numDays = round(range/86400,0)
| where count < numDays
| table ServerName firstSeenOn lastSeenOn

or even

yoursearchhere
| stats latest(_time) as lastSeenOn by ServerName
| eval lastSeenOn = relative_time(lastSeenOn,"@d")
| eval today = relative_time(now(),"@d")
| where lastSeenOn < today
| fields - today

Re: Display deleted events between 2 scheduled searches

saurabhkunte — Fri, 02 May 2014 17:47:49 GMT

Thanks for you reply.

However none of these searches display any results. It says there are few matching events, but it does not display the results. I tried breaking up the search strings you provided but I am unable to figure out why the search does not return any results.

Re: Display deleted events between 2 scheduled searches

lguinn2 — Fri, 02 May 2014 20:12:47 GMT

What search are you using? Also, what do you see if you enter

yoursearchhere | table _time ServerName

Re: Display deleted events between 2 scheduled searches

somesoni2 — Fri, 02 May 2014 20:17:04 GMT

Try this

AD objects deleted in last 1 day

...your base search... earliest=-1d@d latest=@d NOT [search ...your base search...earliest=@d | stats count by ServerName,ADSPath | table  ServerName,ADSPath | format]

This should give you all the AD groups that were present yesterday but not today.

Similarly change the earliest to "-7d@d" and "-30d@d" in the base search (not subsearch) to get object that were present in last 7days/30 days but not today.

Re: Display deleted events between 2 scheduled searches

saurabhkunte — Fri, 02 May 2014 21:39:54 GMT

Thanks Soni,

This search of yours works. Its just a bit slow to disaply results, but that would be coz the query making 2 searches against 2 different time frames.

Re: Display deleted events between 2 scheduled searches

lguinn2 — Fri, 02 May 2014 23:19:42 GMT

Or remove the where commands and see what you get