Solved: Timechart for created/disabled users

jypysplunk · ‎05-29-2017

Hi, I'm looking to create a timechart of Active directory users created & disabled, so we can have an overview of new & leaving employee over the time.
I'm trying to do this using the index wineventlog (from the Splunk App for Windows Infrastructure). I came up with this query:

index=wineventlog earliest=-180d@d user!="*\$" user!="\$*" (EventCode=4720 OR EventCode=4725) | eval action=if(EventCode=4725,"disabled",action) | eval action=upper(action) | rename action as Action | dedup user,Action| timechart count by Action span=1mon

I've changed the query to get a table with the users and the associated action.

index=wineventlog earliest=-180d@d user!="*\$" user!="\$*" (EventCode=4720 OR EventCode=4725) | eval action=if(EventCode=4725,"disabled",action) | eval action=upper(action) | rename action as Action | dedup user,Action| table user,Action,_time

Due to our new user process, some of them have a created event and then a disabled with some seconds/minutes between them like

User Action Time
user.name1 Disabled 2017-01-27 06:19:32
user.name1 Created 2017-01-27 06:18:26
user.name2 Disabled 2017-01-25 03:21:31
user.name3 Disabled 2017-01-23 03:12:35
user.name3 Created 2017-01-23 03:11:43
user.name4 Disabled 2017-01-23 02:18:26

I would like to exclude the Disabled event when a user has been created on the same day. I've tried with dedup but I couldn't make it work as it keep the first occurence (that would always be disabled)
This would be the desired result:

User Action Time
user.name1 Created 2017-01-27 06:18:26
user.name2 Disabled 2017-01-25 03:21:31
user.name3 Created 2017-01-23 03:11:43
user.name4 Disabled 2017-01-23 02:18:26

Thanks for your help

woodcock · ‎05-29-2017

Like this:

|makeresults | eval raw="user.name1 Disabled 2017-01-27 06:19:32
user.name1 Created 2017-01-27 06:18:26
user.name2 Disabled 2017-01-25 03:21:31
user.name3 Disabled 2017-01-23 03:12:35
user.name3 Created 2017-01-23 03:11:43
user.name4 Disabled 2017-01-23 02:18:26"
| makemv delim="
" raw
| mvexpand raw
| rename raw AS _raw
| rex "^(?<User>\S+)\s+(?<Action>\S+)\s+(?<Time>.*)$"

| rename COMMENT AS "Everything above creates test event data; everything below is your solution"

| eval _time = strptime(Time, "%Y-%m-%d %H:%M:%S")
| sort 0 - _time
| bin _time span=1d
| eventstats count(eval(Action="Created")) AS createds BY User _time
| search Action="Created" OR createds=0

View solution in original post

woodcock · ‎05-29-2017

Like this:

|makeresults | eval raw="user.name1 Disabled 2017-01-27 06:19:32
user.name1 Created 2017-01-27 06:18:26
user.name2 Disabled 2017-01-25 03:21:31
user.name3 Disabled 2017-01-23 03:12:35
user.name3 Created 2017-01-23 03:11:43
user.name4 Disabled 2017-01-23 02:18:26"
| makemv delim="
" raw
| mvexpand raw
| rename raw AS _raw
| rex "^(?<User>\S+)\s+(?<Action>\S+)\s+(?<Time>.*)$"

| rename COMMENT AS "Everything above creates test event data; everything below is your solution"

| eval _time = strptime(Time, "%Y-%m-%d %H:%M:%S")
| sort 0 - _time
| bin _time span=1d
| eventstats count(eval(Action="Created")) AS createds BY User _time
| search Action="Created" OR createds=0

jypysplunk · ‎05-30-2017

Perfect! Thanks for your quick answer.

woodcock · ‎05-30-2017

If it worked for you, be sure to click Accept on the answer to close the question.

Timechart for created/disabled users

Welcome to the Splunk Community!

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Adoption of RUM and APM at Splunk