Archive

compare result of two search results of usernames

Explorer

I need to get a list of all users that haven't changed password (Windows) in a set timespan. Timespan exceeds length of splunk logdata.
I have made a search to give me usernames of all successfull logins, and another search giving me usernames of users that has changes passwords.
But I can't figure out a way to compare the two results in a way that gives me a listing of all the usernames that is in the user login list, but not is in the user changes password list.
Any suggestions to get this compare to work is much appreciated, If I'm way of on my search please enlighten me.

This is the search I have so far.

index=winevents (EventCode=4723 OR EventCode=4724) Keywords="Audit Success"
| eval User=mvindex(AccountName,1)
| dedup User
| search User!=*$
| sort User
| rename User AS User
PW
| table UserPW
| append
[ search index=winevents EventCode=4648 Keywords="Audit Success"
| eval User=mvindex(Account
Name,1)
| dedup User
| search User!=*$
| sort User
| rename User AS UserLogin
| table User
Login]

Tags (1)
0 Karma
1 Solution

Explorer

This is the code that solved my needs for a list over users that have got the Password Last Change timestamp updated without changing the password.
Found a way to get the information in a super easy way. On my single instance Splunk the search runs for 42 sec on a 60 day search

index=winevents Account_Domain="YourDomain" ((EventCode=4738 Password_Last_Set!="<never>") OR EventCode=4723)
| convert timeformat="%Y.%m.%d" ctime(_time) AS timestamp 
| eval Message=split(Message,".") 
| eval Short_Message=mvindex(Message,0) 
| eval Admin=mvindex(Account_Name,0) 
| eval User=mvindex(Account_Name,1) 
| transaction User maxspan=7d
| search EventCode=4738 EventCode!=4723 Admin=_* Password_Last_Set!="-"
| table timestamp EventCode Short_Message Admin User Keywords Password_Last_Set

View solution in original post

0 Karma

Explorer

This is the code that solved my needs for a list over users that have got the Password Last Change timestamp updated without changing the password.
Found a way to get the information in a super easy way. On my single instance Splunk the search runs for 42 sec on a 60 day search

index=winevents Account_Domain="YourDomain" ((EventCode=4738 Password_Last_Set!="<never>") OR EventCode=4723)
| convert timeformat="%Y.%m.%d" ctime(_time) AS timestamp 
| eval Message=split(Message,".") 
| eval Short_Message=mvindex(Message,0) 
| eval Admin=mvindex(Account_Name,0) 
| eval User=mvindex(Account_Name,1) 
| transaction User maxspan=7d
| search EventCode=4738 EventCode!=4723 Admin=_* Password_Last_Set!="-"
| table timestamp EventCode Short_Message Admin User Keywords Password_Last_Set

View solution in original post

0 Karma

Legend

Hi @erikwie,
in this way you could have a problem because there's the limit of 50,000 results in subsearches.

So, please try something like this:

index=winevents (EventCode=4723 OR EventCode=4724 OR EventCode=4648 ) Keywords="Audit Success"
| eval User=mvindex(Account_Name,1)
| search User!=$
| sort User
| eval type=if(EventCode="4648","login","pwd")
| stats values(EventCode) AS EventCode dc(type) AS dc_type BY User
| where dc_type=1 AND EventCode=4648

Ciao.
Giuseppe

0 Karma

Explorer

I can't tell if this solves it or not, I'm unable to run the search as it seems to time-out before completing. The last attemt has now been running for 4 hours. The splunk servicer is idling and the counter og events matched has not moved for atleast the last hour, still no errors from the search yet

0 Karma