Solved: Account status -> bypassed, is it enabled?

jbanAtSplunk · ‎10-14-2021

Hi,

We have status in one log type, where we would like to track if account is in state: bypassed

Example:

2021-13-10 user1 bypassed

2021-13-10 user2 enabled

2021-13-09 user2 bypassed
2021-13-08 user3 bypassed

2021-13-08 user3 active
2021-13-08 user3 bypassed
2021-13-07 user3 active

how can we find last 2 status for user in period of time and than based on last bypass/active status we get only accounts that have still active bypass status?

jbanAtSplunk · ‎10-14-2021

Hey,

I think I solve this with this query using eventstats dc (this is giving me last two condition) where I can then see if the last status is Bypass.
example:

index=<index> sourcetype=<sourcetype> ( status="Enabled" OR status="Bypass") | eventstats dc(status) as state by user |  sort - _time user | eventstats latest(status) AS condition by user |  where condition=Bypass | ... playing with time condition

View solution in original post

richgalloway · ‎10-14-2021

To get the last 2 statuses for a user, use dedup 2.

... | dedup 2 user
...

To get the current status, use dedup.

... | dedup user
| where status="bypassed"

---
If this reply helps you, Karma would be appreciated.

jbanAtSplunk · ‎10-14-2021

Hey,

I think I solve this with this query using eventstats dc (this is giving me last two condition) where I can then see if the last status is Bypass.
example:

index=<index> sourcetype=<sourcetype> ( status="Enabled" OR status="Bypass") | eventstats dc(status) as state by user |  sort - _time user | eventstats latest(status) AS condition by user |  where condition=Bypass | ... playing with time condition

Account status -> bypassed, is it enabled?

eval

Other

stats

Admin Your Splunk Cloud, Your Way

Cloud Platform | Discontinuing support for TLS version 1.0 and 1.1

New Customer Testimonials