Splunk Search

Compare entry date to the selected revisit date to figure out when a user is being added to the lookup table

Italy1358
Path Finder

Here is my xml code so far:
<form version="1.1" theme="dark">
<init>
<set token="none">None</set>
<set token="tokTypeInputVisible">Yes</set>
<unset token="user_tok"></unset>
<unset token="description_tok"></unset>
<unset token="revisit_tok"></unset>
<unset token="dropdown_tok"></unset>
<unset token="add"></unset>
<unset token="remove"></unset>
<unset token="reauthorize"></unset>
</init>
<label>USB</label>
<fieldset submitButton="false" autoRun="false">
<input type="text" token="user_tok" searchWhenChanged="false">
<label>User</label>
<default></default>
</input>
<input type="text" token="description_tok" searchWhenChanged="false">
<label>Description</label>
<default></default>
</input>
<input type="dropdown" token="revisit_tok" searchWhenChanged="false">
<label>Revisit</label>
<choice value="select Month">Select</choice>
<choice value="1 month">1 Month</choice>
<choice value="2 month">2 Month</choice>
<choice value="3 month">3 Month</choice>
<choice value="4 month">4 Month</choice>
<choice value="5 month">5 Month</choice>
<choice value="6 month">6 Month</choice>
<change>
<condition value="1 month">
<set token="1 month"></set>
<unset token="2 month"></unset>
<unset token="3 month"></unset>
<unset token="4 month"></unset>
<unset token="5 month"></unset>
<unset token="6 month"></unset>
</condition>
<condition value="2 month">
<unset token="1 month"></unset>
<set token="2 month"></set>
<unset token="3 month"></unset>
<unset token="4 month"></unset>
<unset token="5 month"></unset>
<unset token="6 month"></unset>
</condition>
<condition value="3 month">
<unset token="1 month"></unset>
<unset token="2 month"></unset>
<set token="3 month"></set>
<unset token="4 month"></unset>
<unset token="5 month"></unset>
<unset token="6 month"></unset>
</condition>
<condition value="4 month">
<unset token="1 month"></unset>
<unset token="2 month"></unset>
<unset token="3 month"></unset>
<set token="4 month"></set>
<unset token="5 month"></unset>
<unset token="6 month"></unset>
</condition>
<condition value="5 month">
<unset token="1 month"></unset>
<unset token="2 month"></unset>
<unset token="3 month"></unset>
<unset token="4 month"></unset>
<set token="5 month"></set>
<unset token="6 month"></unset>
</condition>
<condition value="6 month">
<unset token="1 month"></unset>
<unset token="2 month"></unset>
<unset token="3 month"></unset>
<unset token="4 month"></unset>
<unset token="5 month"></unset>
<set token="6 month"></set>
</condition>
</change>
</input>
<input type="dropdown" token="dropdown_tok" depends="$tokTypeInputVisible$">
<label>Action</label>
<choice value="none">None</choice>
<choice value="add">Add</choice>
<choice value="remove">Remove</choice>
<choice value="reauthorize">Reauthorize</choice>
<change>
<condition value="none">
<set token="none"></set>
<unset token="add"></unset>
<unset token="remove"></unset>
<unset token="reauthorize"></unset>
</condition>
<condition value="add">
<set token="add"></set>
<unset token="remove"></unset>
<unset token="reauthorize"></unset>
<unset token="none"></unset>
</condition>
<condition value="remove">
<unset token="add"></unset>
<set token="remove"></set>
<unset token="reauthorize"></unset>
<unset token="none"></unset>
</condition>
<condition value="reauthorize">
<unset token="add"></unset>
<unset token="none"></unset>
<unset token="remove"></unset>
</condition>
</change>
<default>none</default>
</input>
</fieldset>
<row>
<panel depends="$none">
<title>USb_BAU</title>
<table>
<search>
<query>
| inputlookup USB.csv
| table _time, user, category, department, description, revisit, status
| lookup lookup user as user OUTPUT category department
</query>
<earliest>-24h@h</earliest>
<latest>now</latest>
</search>
<option name="drilldown">none</option>
<option name="refresh.display">progressbar</option>
</table>
</panel>
<panel depends="$add$">
<title>Add User</title>
<table>
<search>
<query>
| inputlookup USB.csv
| append [ | makeresults
| eval user="$user_tok$", description="$description_tok$", revisit="$revisit_tok$", Action="$dropdown_tok$"]
| table _time, user, category, department, description, revisit, status
| lookup lookup user as user OUTPUT category department
| outputlookup USB.csv</query>
<earliest>-24h@h</earliest>
<latest>now</latest>
<done>
<unset token="add"></unset>
<unset token="remove"></unset>
<unset token="reauthorize"></unset>
</done>
</search>
<option name="drilldown">cell</option>
<option name="refresh.display">progressbar</option>
</table>
</panel>
<panel depends="$remove$">
<title>Remove User</title>
<table>
<search>
<query>| inputlookup USB.csv
| where user != "$user_tok$"
| table _time, user, category, department, description, revisit, status
| outputlookup USB.csv
</query>
<earliest>-24h@h</earliest>
<latest>now</latest>
<done>
<unset token="remove"></unset>
</done>
</search>
<option name="drilldown">none</option>
<option name="refresh.display">progressbar</option>
</table>
</panel>
<panel depends="$revisit_tok$">
<title>Revisit User</title>
<table>
<search>
<query>
| inputlookup USB.csv
| eval 1 month="$1 month$", 2 month="$2 month$", 3 month="$3 month$", 4 month="$4 month$", 5 month="$5 month$", 6 month="$6 month$"
| eval status = IF((now() &lt; 1 month), "Expired","Valid")
| table _time, user, category, department, description, revisit, status
| outputlookup USB.csv
</query>
<earliest>-24h@h</earliest>
<latest>now</latest>
</search>
<option name="drilldown">none</option>
<option name="refresh.display">progressbar</option>
</table>
</panel>
</row>
</form>

basically I am trying to figure out when a user is being added to the lookup table and you click on add, I need to check the date they were added to the month selection and if it is past the month they selected then that user is inactive and there is a reauthorize option to reactivate them on the lookup table.

Labels (1)
0 Karma
Get Updates on the Splunk Community!

Improve Your Security Posture

Watch NowImprove Your Security PostureCustomers are at the center of everything we do at Splunk and security ...

Maximize the Value from Microsoft Defender with Splunk

 Watch NowJoin Splunk and Sens Consulting for this Security Edition Tech TalkWho should attend:  Security ...

This Week's Community Digest - Splunk Community Happenings [6.27.22]

Get the latest news and updates from the Splunk Community here! News From Splunk Answers ✍️ Splunk Answers is ...