Join the Conversation
- Find Answers
- :
- Premium Solutions
- :
- Splunk Enterprise Security
- :
- Help with a search to check recent activity and se...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi, I would like to make sure I got this correct and I cant seem to find the answer anywhere.
I added the whole search for context but I am bit concerned with is:
| eval isOutlier=if(earliest >= relative_time(now(), "-1d@d"), 30, 0)
I want to make sure I am checking the last 30 days of admin activity in the lookup against the 15m I just searched for. If nothing is found no alarm but if a new value is found then I want an alarm. Let me know what you all think and thank you in advance for your input.
SourceName="Microsoft Windows security auditing." user!=SYSTEM user!="LOCAL SERVICE" user!="NETWORK SERVICE" user!="*$" user!="ANONYMOUS LOGON" user!="IUSR"
EventCode=4672 earliest=-15m
| stats earliest(_time) as earliest latest(_time) as latest by user
| inputlookup append=t previously_seen_superadmins.csv
| stats min(earliest) as earliest max(latest) as latest by user
| outputlookup previously_seen_superadmins.csv
**| eval isOutlier=if(earliest >= relative_time(now(), "-1d@d"), 30, 0)**
| convert ctime(earliest) ctime(latest)
| where isOutlier=1
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
| eval isOutlier=if(earliest >= relative_time(now(), "-1d@d"), 30, 0)
This query will cause the isOutliner to be 30 or 0.
| where isOutlier=1
However, the result is different because isOutliner with 1 is selected by this query.
| eval isOutlier=if(earliest >= relative_time(now(), "-1d@d"), 1, 0)
How about it?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
| eval isOutlier=if(earliest >= relative_time(now(), "-1d@d"), 30, 0)
This query will cause the isOutliner to be 30 or 0.
| where isOutlier=1
However, the result is different because isOutliner with 1 is selected by this query.
| eval isOutlier=if(earliest >= relative_time(now(), "-1d@d"), 1, 0)
How about it?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
okay that makes sense. I had a fundamental misunderstanding about what those numbers meant. I want the isOutlier to = 1 because I want the first occurrence to be the condition that triggers the alarm. And the time period in that its checking against in the CSV to be 30 days so if i understand it should go like this. "| eval isOutlier=if(earliest >= relative_time(now(), "-30d@d"), 1, 0)"
Stay Connected: Your Guide to January Tech Talks, Office Hours, and Webinars!
[Puzzles] Solve, Learn, Repeat: Reprocessing XML into Fixed-Length Events
Data Management Digest – December 2025
