- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How do you find the disabled usernames along with ...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How do you find the disabled usernames along with the status of their respective adm-usernames?
I have 2 types of account for the same user's like
1. username
2. adm-username
As a requirement, I need to find the disabled usernames along with the status of their respective adm-usernames
I have the query to find the disabled usernames, but I need to know the status of their adm-username account status.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I presume you have two searches:
- one search for finding all disabled users
- one search for finding all adm-users and their respective status
I suggest you use the join command:
index=... your search for all disabled users | dedup username | table username
| eval adm_username="adm-".username
| join type=left adm_username [search index=... your search for all adm-users | rename username as adm_username status as adm_status | table adm_username,adm_status]
This should get you a table with the columns: username, adm_username, adm_status
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
not getting what I need to, its just changing the name by prefixing the ADM- in front of username.
maybe I was not clear with the query, I need to search the existing ADM accounts present or not for the users that are disabled, as we dont have adm account for all the user's
running this query not solving the issue
sourcetype="WinEventLog:Security" EventCode=4725 user!="$" | dedup user | table user
| eval adm_username="adm-".user
| join type=left adm_username [search sourcetype="WinEventLog:Security" EventCode=4725 user!="$" OR user="adm-*" | rename user as adm_username status as adm_status | table adm_username,adm_status]
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
So do you just want to list all ADM accounts which are disabled? Or do you want to list all ADM accounts with their respective status (enabled/disabled)? Perhaps you could provide an example as to what the expected results should look like.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Whrg,
basically I want the ADM accounts which are left out.
in our organization there is a process of disabling the user accounts not the adm accounts, i need something that tells me the adm account is left for the respective user account which is disabled.
so that we can manually disable them
note: ADM account is not for all the user's in the organization, its just 40% of the users have ADM account
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello @deepak007, do you have a search for finding the status of an adm-username?
How are usernames and adm-usernames connected? Is it just the prefix "adm-" before the username?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
yes we have 2 types of user names in our environment
- username
- adm-username
same user holds both the accounts, but both the accounts are different
Announcing Scheduled Export GA for Dashboard Studio
Extending Observability Content to Splunk Cloud
More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!
