Splunk Enterprise Security

I need to match the user col to the Expired user col from two different datasets

MikeVenable
Path Finder

I need an SPL that will take input from Authentication dataset in the Authentication datamodel, at the same time taking the expired_identities dataset from the Identity_Management datamodel. I want only the matches then i need the event time from when the authentication happened and when the identity was expired then eval. Below is what I have so far, it appends both data sources together and foreach is supposed to look for matches, it does, but I think it is only comparing the side by side column not searching the entire column for each entry in users. Thanks any help would be greatly appreciated.

| datamodel Authentication "Authentication" search
| stats count by Authentication.user | rename Authentication.user as user
| appendcols
[| datamodel Identity_Management "Expired_Identities" search
| stats count by All_Identities.LoginID]
| foreach user
[eval match=if(user=All_Identities.LoginID, user, NULL)]
| table user All_Identities.LoginID count match

0 Karma
1 Solution

to4kawa
Ultra Champion
| datamodel Authentication "Authentication" search 
| stats count by Authentication.user 
| rename Authentication.* as *
| append 
    [| datamodel Identity_Management "Expired_Identities" search 
    | stats count by All_Identities.LoginID
    | rename All_Identities.* as *] 
| eval user=coalesce(user, LoginID)
| stats sum(count) as count by user

Hi, @MikeVenable
how about this?

View solution in original post

0 Karma

to4kawa
Ultra Champion
| datamodel Authentication "Authentication" search 
| stats count by Authentication.user 
| rename Authentication.* as *
| append 
    [| datamodel Identity_Management "Expired_Identities" search 
    | stats count by All_Identities.LoginID
    | rename All_Identities.* as *] 
| eval user=coalesce(user, LoginID)
| stats sum(count) as count by user

Hi, @MikeVenable
how about this?

0 Karma
Get Updates on the Splunk Community!

Maximize the Value from Microsoft Defender with Splunk

 Watch NowJoin Splunk and Sens Consulting for this Security Edition Tech TalkWho should attend:  Security ...

This Week's Community Digest - Splunk Community Happenings [6.27.22]

Get the latest news and updates from the Splunk Community here! News From Splunk Answers ✍️ Splunk Answers is ...

Reminder! Splunk Love Promo: $25 Visa Gift Card for Your Honest SOAR Review With ...

We recently launched our first Splunk Love Special, and it's gone phenomenally well, so we're doing it again, ...