I have 2 types of account for the same user's like
1. username
2. adm-username
As a requirement, I need to find the disabled usernames along with the status of their respective adm-usernames
I have the query to find the disabled usernames, but I need to know the status of their adm-username account status.
I presume you have two searches:
- one search for finding all disabled users
- one search for finding all adm-users and their respective status
I suggest you use the join command:
index=... your search for all disabled users | dedup username | table username
| eval adm_username="adm-".username
| join type=left adm_username [search index=... your search for all adm-users | rename username as adm_username status as adm_status | table adm_username,adm_status]
This should get you a table with the columns: username, adm_username, adm_status
not getting what I need to, its just changing the name by prefixing the ADM- in front of username.
maybe I was not clear with the query, I need to search the existing ADM accounts present or not for the users that are disabled, as we dont have adm account for all the user's
running this query not solving the issue
sourcetype="WinEventLog:Security" EventCode=4725 user!="$" | dedup user | table user
| eval adm_username="adm-".user
| join type=left adm_username [search sourcetype="WinEventLog:Security" EventCode=4725 user!="$" OR user="adm-*" | rename user as adm_username status as adm_status | table adm_username,adm_status]
So do you just want to list all ADM accounts which are disabled? Or do you want to list all ADM accounts with their respective status (enabled/disabled)? Perhaps you could provide an example as to what the expected results should look like.
Hi Whrg,
basically I want the ADM accounts which are left out.
in our organization there is a process of disabling the user accounts not the adm accounts, i need something that tells me the adm account is left for the respective user account which is disabled.
so that we can manually disable them
note: ADM account is not for all the user's in the organization, its just 40% of the users have ADM account
Hello @deepak007, do you have a search for finding the status of an adm-username?
How are usernames and adm-usernames connected? Is it just the prefix "adm-" before the username?
yes we have 2 types of user names in our environment
same user holds both the accounts, but both the accounts are different