Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Display days passed between current time and most recent activation - User Role Auditing

dmbr
Explorer
‎10-17-2021 05:17 PM

The answer to this probably stupid simple. Banging my head on this.

Help and patience please.
 
I am writing a query which audits user role activations.

A user can have many roles, i.e. Network Admin, Security Reader, User Admin, Storage Operator, etc.

Specifically, I want to view how many days has passed since a user activated a specific role.
 
Today - Last Activation = Days Since Last Activation

 

Questions:
  1. How can I most efficiently subtract the time of the most recent role activation event from the current time?
  2. How can I then only show the most recent results?
  3. How to then audit all users who have not activated a role in the past 30 days?

 

Base query for a single user search over 30 days and sample results are below.

 

 index=audit user=bob@example.com 
| eval days = round((now() - _time)/86400) 
| table Role, user, _time, days 
| sort - days

Sample Data Below

RoleUserName_timedays
Global Readerbob@example.com2021-09-19T08:35:06.99829
Global Readerbob@example.com2021-09-19T08:35:05.51429
Systems Administratorbob@example.com2021-09-23T05:55:51.17725
Systems Administratorbob@example.com2021-09-23T05:55:49.03625
Global Readerbob@example.com2021-09-24T00:48:20.25424
Storage Operatorbob@example.com2021-09-24T00:48:18.94224
Systems Administratorbob@example.com2021-09-27T07:22:23.97121
Systems Administratorbob@example.com2021-09-27T07:22:22.97121
Global Readerbob@example.com2021-09-27T07:19:40.56921
Global Readerbob@example.com2021-09-27T07:19:39.46021

 

Desired results only show the most recent events 

RoleUserName_timedays
Global Readerbob@example.com2021-09-24T00:48:20.25424
Storage Operatorbob@example.com2021-09-24T00:48:18.94224
Systems Administratorbob@example.com2021-09-27T07:22:22.97121
Global Readerbob@example.com2021-09-27T07:19:39.46021
Labels (3)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎10-18-2021 12:51 AM 
index=audit user=bob@example.com 
| stats latest(_time) as _time by user, Role
| eval days = round((now() - _time)/86400) 
| table Role, user, _time, days 
| sort - days

View solution in original post

Reply
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎10-18-2021 12:51 AM 
index=audit user=bob@example.com 
| stats latest(_time) as _time by user, Role
| eval days = round((now() - _time)/86400) 
| table Role, user, _time, days 
| sort - days
Reply
Solved! Jump to solution

dmbr
Explorer
‎10-18-2021 03:00 AM

Sincere Thank you ITWhisperer for the reply, much appreciated.

As expected, the solution was much stupid simple. 😂

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

It’s Monday morning, and your phone is buzzing with alert escalations – your customer-facing portal is running ...

What’s New in Splunk Observability – September 2025

What's NewWe are excited to announce the latest enhancements to Splunk Observability, designed to help ITOps ...

Fun with Regular Expression - multiples of nine

Fun with Regular Expression - multiples of nineThis challenge was first posted on Slack #regex channel ...