Splunk Enterprise Security

I need to match the user col to the Expired user col from two different datasets

MikeVenable
Path Finder

I need an SPL that will take input from Authentication dataset in the Authentication datamodel, at the same time taking the expired_identities dataset from the Identity_Management datamodel. I want only the matches then i need the event time from when the authentication happened and when the identity was expired then eval. Below is what I have so far, it appends both data sources together and foreach is supposed to look for matches, it does, but I think it is only comparing the side by side column not searching the entire column for each entry in users. Thanks any help would be greatly appreciated.

| datamodel Authentication "Authentication" search
| stats count by Authentication.user | rename Authentication.user as user
| appendcols
[| datamodel Identity_Management "Expired_Identities" search
| stats count by All_Identities.LoginID]
| foreach user
[eval match=if(user=All_Identities.LoginID, user, NULL)]
| table user All_Identities.LoginID count match

0 Karma
1 Solution

to4kawa
Ultra Champion
| datamodel Authentication "Authentication" search 
| stats count by Authentication.user 
| rename Authentication.* as *
| append 
    [| datamodel Identity_Management "Expired_Identities" search 
    | stats count by All_Identities.LoginID
    | rename All_Identities.* as *] 
| eval user=coalesce(user, LoginID)
| stats sum(count) as count by user

Hi, @MikeVenable
how about this?

View solution in original post

0 Karma

to4kawa
Ultra Champion
| datamodel Authentication "Authentication" search 
| stats count by Authentication.user 
| rename Authentication.* as *
| append 
    [| datamodel Identity_Management "Expired_Identities" search 
    | stats count by All_Identities.LoginID
    | rename All_Identities.* as *] 
| eval user=coalesce(user, LoginID)
| stats sum(count) as count by user

Hi, @MikeVenable
how about this?

0 Karma
Get Updates on the Splunk Community!

Accelerate Service Onboarding, Decomposition, Troubleshooting - and more with ITSI’s ...

Accelerate Service Onboarding, Decomposition, Troubleshooting - and more! Faster Time to ValueManaging and ...

New Release | Splunk Enterprise 9.3

Admins and Analyst can benefit from:  Seamlessly route data to your local file system to save on storage ...

2024 Splunk Career Impact Survey | Earn a $20 gift card for participating!

Hear ye, hear ye! The time has come again for Splunk's annual Career Impact Survey!  We need your help by ...