Splunk Search

compare result of two search results of usernames

erikwie
Path Finder

I need to get a list of all users that haven't changed password (Windows) in a set timespan. Timespan exceeds length of splunk logdata.
I have made a search to give me usernames of all successfull logins, and another search giving me usernames of users that has changes passwords.
But I can't figure out a way to compare the two results in a way that gives me a listing of all the usernames that is in the user login list, but not is in the user changes password list.
Any suggestions to get this compare to work is much appreciated, If I'm way of on my search please enlighten me.

This is the search I have so far.

index=winevents (EventCode=4723 OR EventCode=4724) Keywords="Audit Success"
| eval User=mvindex(Account_Name,1)
| dedup User
| search User!=$
| sort User
| rename User AS User_PW
| table User_PW
| append
[ search index=winevents EventCode=4648 Keywords="Audit Success"
| eval User=mvindex(Account_Name,1)
| dedup User
| search User!=
$
| sort User
| rename User AS User_Login
| table User_Login]

Tags (1)
0 Karma
1 Solution

erikwie
Path Finder

This is the code that solved my needs for a list over users that have got the Password Last Change timestamp updated without changing the password.
Found a way to get the information in a super easy way. On my single instance Splunk the search runs for 42 sec on a 60 day search

index=winevents Account_Domain="YourDomain" ((EventCode=4738 Password_Last_Set!="<never>") OR EventCode=4723)
| convert timeformat="%Y.%m.%d" ctime(_time) AS timestamp 
| eval Message=split(Message,".") 
| eval Short_Message=mvindex(Message,0) 
| eval Admin=mvindex(Account_Name,0) 
| eval User=mvindex(Account_Name,1) 
| transaction User maxspan=7d
| search EventCode=4738 EventCode!=4723 Admin=_* Password_Last_Set!="-"
| table timestamp EventCode Short_Message Admin User Keywords Password_Last_Set

View solution in original post

0 Karma

erikwie
Path Finder

This is the code that solved my needs for a list over users that have got the Password Last Change timestamp updated without changing the password.
Found a way to get the information in a super easy way. On my single instance Splunk the search runs for 42 sec on a 60 day search

index=winevents Account_Domain="YourDomain" ((EventCode=4738 Password_Last_Set!="<never>") OR EventCode=4723)
| convert timeformat="%Y.%m.%d" ctime(_time) AS timestamp 
| eval Message=split(Message,".") 
| eval Short_Message=mvindex(Message,0) 
| eval Admin=mvindex(Account_Name,0) 
| eval User=mvindex(Account_Name,1) 
| transaction User maxspan=7d
| search EventCode=4738 EventCode!=4723 Admin=_* Password_Last_Set!="-"
| table timestamp EventCode Short_Message Admin User Keywords Password_Last_Set
0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @erikwie,
in this way you could have a problem because there's the limit of 50,000 results in subsearches.

So, please try something like this:

index=winevents (EventCode=4723 OR EventCode=4724 OR EventCode=4648 ) Keywords="Audit Success"
| eval User=mvindex(Account_Name,1)
| search User!=$
| sort User
| eval type=if(EventCode="4648","login","pwd")
| stats values(EventCode) AS EventCode dc(type) AS dc_type BY User
| where dc_type=1 AND EventCode=4648

Ciao.
Giuseppe

0 Karma

erikwie
Path Finder

I can't tell if this solves it or not, I'm unable to run the search as it seems to time-out before completing. The last attemt has now been running for 4 hours. The splunk servicer is idling and the counter og events matched has not moved for atleast the last hour, still no errors from the search yet

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...