Re: How can I create a Dashboard to display only t... - Page 2

untieshoe · ‎04-08-2016

Specifically, if an AD user account attribute "employeeType" changes from "NULL" to "Contractor", how can I detect/filter for that? Ideally I'd make a Dashboard to display only the User Accounts for which that attribute changed from NULL to Contractor (or something other than NULL) over the previous week. I have Active Directory feeds already set up, so I already receive historical data (snapshots of AD) that contain the data I need (i.e. the 'before' value and 'after' value of the attribute).

untieshoe · ‎04-11-2016

It does not do that.
In fact, if I try only | where changedFrom!="01234567" then I end up with no results instead of the NULL results.
There are no spaces.

sundareshr · ‎04-12-2016

instead of .. | where changedFrom!="01234567" can you try .. | search changedFrom!="01234567".

untieshoe · ‎04-12-2016

That yields zero results.

untieshoe · ‎04-11-2016

I don't know how to upload a screen shot, but I did notice this:
The events for permutations 2 and 3 have the identical time stamps. Might this be a problem?

How can I create a Dashboard to display only those domain User Accounts for which the contents of a specific AD attribute has changed?

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!