Splunk Enterprise Security
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How can I achieve this absence of event?

Nawab
Communicator
‎08-02-2023 01:00 AM

I want to create a use case below is the scenario

Let's suppose we have a device that will create a new temp user for every new session and deletes that user when the session is ended.

Now I want to check if a user is created but not deleted in 24 hours. 

how can I achieve this absence of event?

Labels (1)
Labels
Tags (1)
0 Karma
Reply

Nawab
Communicator
‎08-07-2023 01:38 AM

Okay! So here I am looking for one query that will fit all absence of events.
let me give you another example.
let's say there is an update related to any product that is pushed so now the update will be either successful or failed
now some hosts will have a success event and some will have failed event. in this case, both hosts will have the same amount of events i.e 1 either success or failure
I want to check if there is failure but no success for same policy in last 24 hour.

Again here I am looking for a query that will fix all absence of events

0 Karma
Reply

inventsekar
SplunkTrust
SplunkTrust
‎08-06-2023 06:58 PM

maybe you should provide some sample logs of how new user created, user deleted logs look like. 

this task is achievable. just a good logic/idea is needed. when we can see the sample logs, we can try to work on the SPL query step by step. thanks. 

thanks and best regards,
Sekar

PS - If this or any post helped you in any way, pls consider upvoting, thanks for reading !
0 Karma
Reply

Nawab
Communicator
‎08-06-2023 02:03 AM

This will generate false positive in different cases, I have given an example case but I need logic for every case where an event is not available, 1st event is available and 2nd is not and the flow of log is from 1st to 2nd so if 2nd event occured before 1st it should not be counted

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎08-06-2023 02:46 AM

So the temp user is not unique?

In that case, record the last time the user was created and the last time the user was deleted, and if there is no delete or the delete is prior to the create and the create is more than 24 hours ago, you have your create without a delete

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎08-02-2023 01:11 AM

Count events and track earliest event by user, then where count is 1 and first (create) event is more than 24 hours ago you have found the user which hasn't been deleted.

0 Karma
Reply
Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Nested loops in Event Conversion

This challenge was first posted on Slack #puzzles channelFor a previous puzzle, I needed a set of fixed-length ...

Your Guide to Splunk Digital Experience Monitoring

A flawless digital experience isn't just an advantage, it's key to customer loyalty and business success. But ...

Data Management Digest – November 2025

  Welcome to the inaugural edition of Data Management Digest! As your trusted partner in data innovation, the ...