Splunk Enterprise Security

I need to match the user col to the Expired user col from two different datasets

MikeVenable
Path Finder

I need an SPL that will take input from Authentication dataset in the Authentication datamodel, at the same time taking the expired_identities dataset from the Identity_Management datamodel. I want only the matches then i need the event time from when the authentication happened and when the identity was expired then eval. Below is what I have so far, it appends both data sources together and foreach is supposed to look for matches, it does, but I think it is only comparing the side by side column not searching the entire column for each entry in users. Thanks any help would be greatly appreciated.

| datamodel Authentication "Authentication" search
| stats count by Authentication.user | rename Authentication.user as user
| appendcols
[| datamodel Identity_Management "Expired_Identities" search
| stats count by All_Identities.LoginID]
| foreach user
[eval match=if(user=All_Identities.LoginID, user, NULL)]
| table user All_Identities.LoginID count match

0 Karma
1 Solution

to4kawa
Ultra Champion
| datamodel Authentication "Authentication" search 
| stats count by Authentication.user 
| rename Authentication.* as *
| append 
    [| datamodel Identity_Management "Expired_Identities" search 
    | stats count by All_Identities.LoginID
    | rename All_Identities.* as *] 
| eval user=coalesce(user, LoginID)
| stats sum(count) as count by user

Hi, @MikeVenable
how about this?

View solution in original post

0 Karma

to4kawa
Ultra Champion
| datamodel Authentication "Authentication" search 
| stats count by Authentication.user 
| rename Authentication.* as *
| append 
    [| datamodel Identity_Management "Expired_Identities" search 
    | stats count by All_Identities.LoginID
    | rename All_Identities.* as *] 
| eval user=coalesce(user, LoginID)
| stats sum(count) as count by user

Hi, @MikeVenable
how about this?

0 Karma
Get Updates on the Splunk Community!

Stay Connected: Your Guide to July and August Tech Talks, Office Hours, and Webinars!

Dive into our sizzling summer lineup for July and August Community Office Hours and Tech Talks. Scroll down to ...

Edge Processor Scaling, Energy & Manufacturing Use Cases, and More New Articles on ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Get More Out of Your Security Practice With a SIEM

Get More Out of Your Security Practice With a SIEMWednesday, July 31, 2024  |  11AM PT / 2PM ETREGISTER ...