Splunk Search

Compare entry date to the selected revisit date to figure out when a user is being added to the lookup table

Italy1358
Path Finder

Here is my xml code so far:
<form version="1.1" theme="dark">
<init>
<set token="none">None</set>
<set token="tokTypeInputVisible">Yes</set>
<unset token="user_tok"></unset>
<unset token="description_tok"></unset>
<unset token="revisit_tok"></unset>
<unset token="dropdown_tok"></unset>
<unset token="add"></unset>
<unset token="remove"></unset>
<unset token="reauthorize"></unset>
</init>
<label>USB</label>
<fieldset submitButton="false" autoRun="false">
<input type="text" token="user_tok" searchWhenChanged="false">
<label>User</label>
<default></default>
</input>
<input type="text" token="description_tok" searchWhenChanged="false">
<label>Description</label>
<default></default>
</input>
<input type="dropdown" token="revisit_tok" searchWhenChanged="false">
<label>Revisit</label>
<choice value="select Month">Select</choice>
<choice value="1 month">1 Month</choice>
<choice value="2 month">2 Month</choice>
<choice value="3 month">3 Month</choice>
<choice value="4 month">4 Month</choice>
<choice value="5 month">5 Month</choice>
<choice value="6 month">6 Month</choice>
<change>
<condition value="1 month">
<set token="1 month"></set>
<unset token="2 month"></unset>
<unset token="3 month"></unset>
<unset token="4 month"></unset>
<unset token="5 month"></unset>
<unset token="6 month"></unset>
</condition>
<condition value="2 month">
<unset token="1 month"></unset>
<set token="2 month"></set>
<unset token="3 month"></unset>
<unset token="4 month"></unset>
<unset token="5 month"></unset>
<unset token="6 month"></unset>
</condition>
<condition value="3 month">
<unset token="1 month"></unset>
<unset token="2 month"></unset>
<set token="3 month"></set>
<unset token="4 month"></unset>
<unset token="5 month"></unset>
<unset token="6 month"></unset>
</condition>
<condition value="4 month">
<unset token="1 month"></unset>
<unset token="2 month"></unset>
<unset token="3 month"></unset>
<set token="4 month"></set>
<unset token="5 month"></unset>
<unset token="6 month"></unset>
</condition>
<condition value="5 month">
<unset token="1 month"></unset>
<unset token="2 month"></unset>
<unset token="3 month"></unset>
<unset token="4 month"></unset>
<set token="5 month"></set>
<unset token="6 month"></unset>
</condition>
<condition value="6 month">
<unset token="1 month"></unset>
<unset token="2 month"></unset>
<unset token="3 month"></unset>
<unset token="4 month"></unset>
<unset token="5 month"></unset>
<set token="6 month"></set>
</condition>
</change>
</input>
<input type="dropdown" token="dropdown_tok" depends="$tokTypeInputVisible$">
<label>Action</label>
<choice value="none">None</choice>
<choice value="add">Add</choice>
<choice value="remove">Remove</choice>
<choice value="reauthorize">Reauthorize</choice>
<change>
<condition value="none">
<set token="none"></set>
<unset token="add"></unset>
<unset token="remove"></unset>
<unset token="reauthorize"></unset>
</condition>
<condition value="add">
<set token="add"></set>
<unset token="remove"></unset>
<unset token="reauthorize"></unset>
<unset token="none"></unset>
</condition>
<condition value="remove">
<unset token="add"></unset>
<set token="remove"></set>
<unset token="reauthorize"></unset>
<unset token="none"></unset>
</condition>
<condition value="reauthorize">
<unset token="add"></unset>
<unset token="none"></unset>
<unset token="remove"></unset>
</condition>
</change>
<default>none</default>
</input>
</fieldset>
<row>
<panel depends="$none">
<title>USb_BAU</title>
<table>
<search>
<query>
| inputlookup USB.csv
| table _time, user, category, department, description, revisit, status
| lookup lookup user as user OUTPUT category department
</query>
<earliest>-24h@h</earliest>
<latest>now</latest>
</search>
<option name="drilldown">none</option>
<option name="refresh.display">progressbar</option>
</table>
</panel>
<panel depends="$add$">
<title>Add User</title>
<table>
<search>
<query>
| inputlookup USB.csv
| append [ | makeresults
| eval user="$user_tok$", description="$description_tok$", revisit="$revisit_tok$", Action="$dropdown_tok$"]
| table _time, user, category, department, description, revisit, status
| lookup lookup user as user OUTPUT category department
| outputlookup USB.csv</query>
<earliest>-24h@h</earliest>
<latest>now</latest>
<done>
<unset token="add"></unset>
<unset token="remove"></unset>
<unset token="reauthorize"></unset>
</done>
</search>
<option name="drilldown">cell</option>
<option name="refresh.display">progressbar</option>
</table>
</panel>
<panel depends="$remove$">
<title>Remove User</title>
<table>
<search>
<query>| inputlookup USB.csv
| where user != "$user_tok$"
| table _time, user, category, department, description, revisit, status
| outputlookup USB.csv
</query>
<earliest>-24h@h</earliest>
<latest>now</latest>
<done>
<unset token="remove"></unset>
</done>
</search>
<option name="drilldown">none</option>
<option name="refresh.display">progressbar</option>
</table>
</panel>
<panel depends="$revisit_tok$">
<title>Revisit User</title>
<table>
<search>
<query>
| inputlookup USB.csv
| eval 1 month="$1 month$", 2 month="$2 month$", 3 month="$3 month$", 4 month="$4 month$", 5 month="$5 month$", 6 month="$6 month$"
| eval status = IF((now() &lt; 1 month), "Expired","Valid")
| table _time, user, category, department, description, revisit, status
| outputlookup USB.csv
</query>
<earliest>-24h@h</earliest>
<latest>now</latest>
</search>
<option name="drilldown">none</option>
<option name="refresh.display">progressbar</option>
</table>
</panel>
</row>
</form>

basically I am trying to figure out when a user is being added to the lookup table and you click on add, I need to check the date they were added to the month selection and if it is past the month they selected then that user is inactive and there is a reauthorize option to reactivate them on the lookup table.

Labels (1)
0 Karma
Get Updates on the Splunk Community!

Video | Welcome Back to Smartness, Pedro

Remember Splunk Community member, Pedro Borges? If you tuned into Episode 2 of our Smartness interview series, ...

Detector Best Practices: Static Thresholds

Introduction In observability monitoring, static thresholds are used to monitor fixed, known values within ...

Expert Tips from Splunk Education, Observability in Action, Plus More New Articles on ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...