Splunk Search

Search all the login events from a location

jarapally
Explorer

Need to run a report where the user is supposed to work remotely for 110 days in any given 365 days. The 365 days is a rolling window. Within any 365 the user is supposed to work only 110 days. Can someone help me with the logic

Tags (1)
0 Karma

tiagofbmm
Influencer

Hey

search *login* earliest=-365d
| eval unique_date= date_mday +"/" + date_month
| stats count by unique_date, user
| stats count by user
| eval crossed_threshold=if(count>110,"True","False")

If the result of that search is greater than 110 for any user in a 365 days period, then he crossed your threshold.

Could this sketch be according to your needs?

0 Karma

jarapally
Explorer

We are running the report every 30days so using a lookup to store all the remote logins. Can you modify the search based on that

0 Karma

tiagofbmm
Influencer

Sorry I'm not following now. Do you want to store the results of this search in a lookup? Or do you have a lookup with something else that you want to include in the search?

0 Karma

jarapally
Explorer

We are not running the search for 365 days but every 30 days and sending the remaining days left within the 365 rolling window.

0 Karma

tiagofbmm
Influencer

Ok so then just change the earliest time you are looking at it:

 search *login* earliest=-30d
 | eval unique_date= date_mday +"/" + date_month
 | stats count by unique_date, user
 | stats count by user
 | eval crossed_threshold=if(count>110,"True","False")
0 Karma

jarapally
Explorer

But the user is allowed to work for 110 days within any given 365 days. And we run this report every 30 days to send them the remaining days that are left

0 Karma

tiagofbmm
Influencer

Sorry, I think I finally understood what you intend:

  search *login* earliest=-365d
  | eval unique_date= date_mday +"/" + date_month
  | stats count by unique_date, user
  | stats count by user
  | eval remaining_days = 110-count

Let me know if that is what you want to send to the users

0 Karma

tiagofbmm
Influencer

Please let me know if the answer was useful for you. If it was, accept it and upvote. If not, give us more input so we can help you with that

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...