Splunk Search

Display deleted events between 2 scheduled searches

saurabhkunte
Path Finder

Hi All,

Hoping you can help me out here.

I have a ps input indexing daily AD computer objects to Splunk. The scripted input is set to execute daily. Output is in the following manner :

2014/04/29 11:46:39 ServerName="am-dc02" ADSPath="CN=am-dc02,OU=Domain Controllers,DC=ads,DC=contoso,DC=com" Created="04/28/2014 12:34:36"
2014/04/29 11:46:39 ServerName="am-dc01" ADSPath="CN=am-dc01,OU=Domain Controllers,DC=ads,DC=contoso,DC=com" Created="04/28/2014 12:34:01"

I am having difficulties displaying AD Computer objects that got deleted in the last 1 day, last 7 days and last 30 days period.
For eg if the search that ran yesterday indexed 2 AD computer objects and the next run of the scripted input indexed only 1 AD computer obj :
2014/04/29 11:46:39 ServerName="am-dc01" ADSPath="CN=am-dc01,OU=Domain Controllers,DC=ads,DC=contoso,DC=com" Created="04/28/2014 12:34:01"

How do I list the AD computer object that got deleted when the scripted input ran today ? As I am not including isDeleted AD object property, I have to rely on the time stamp that is written at the start of each event in the output. This is the logic i am using while building the search.

I search for current time - 1 day and get the results displayed. Then I make a sub search for displaying the results of the current day. Then I am using the diff command to get the results. however that does not work at all. Can somebody please help me ? THank you.

Tags (3)
0 Karma
1 Solution

somesoni2
Revered Legend

Try this

AD objects deleted in last 1 day

...your base search... earliest=-1d@d latest=@d NOT [search ...your base search...earliest=@d | stats count by ServerName,ADSPath | table  ServerName,ADSPath | format]

This should give you all the AD groups that were present yesterday but not today.

Similarly change the earliest to "-7d@d" and "-30d@d" in the base search (not subsearch) to get object that were present in last 7days/30 days but not today.

View solution in original post

somesoni2
Revered Legend

Try this

AD objects deleted in last 1 day

...your base search... earliest=-1d@d latest=@d NOT [search ...your base search...earliest=@d | stats count by ServerName,ADSPath | table  ServerName,ADSPath | format]

This should give you all the AD groups that were present yesterday but not today.

Similarly change the earliest to "-7d@d" and "-30d@d" in the base search (not subsearch) to get object that were present in last 7days/30 days but not today.

saurabhkunte
Path Finder

Thanks Soni,

This search of yours works. Its just a bit slow to disaply results, but that would be coz the query making 2 searches against 2 different time frames.

0 Karma

lguinn2
Legend

Couldn't you do this? The following example is for a single day.

yoursearchhere earliest=-1d@d
| stats count by ServerName
| where count < 2

For an arbitrary number of days, this might be better:

yoursearchhere
| stats count range(_time) as range earliest(_time) as firstSeenOn latest(_time) as lastSeenOn by ServerName
| eval numDays = round(range/86400,0)
| where count < numDays
| table ServerName firstSeenOn lastSeenOn

or even

yoursearchhere
| stats latest(_time) as lastSeenOn by ServerName
| eval lastSeenOn = relative_time(lastSeenOn,"@d")
| eval today = relative_time(now(),"@d")
| where lastSeenOn < today
| fields - today
0 Karma

lguinn2
Legend

Or remove the where commands and see what you get

0 Karma

lguinn2
Legend

What search are you using? Also, what do you see if you enter

yoursearchhere
| table _time ServerName

0 Karma

saurabhkunte
Path Finder

Thanks for you reply.

However none of these searches display any results. It says there are few matching events, but it does not display the results. I tried breaking up the search strings you provided but I am unable to figure out why the search does not return any results.

0 Karma
Get Updates on the Splunk Community!

Exporting Splunk Apps

Join us on Monday, October 21 at 11 am PT | 2 pm ET!With the app export functionality, app developers and ...

Cisco Use Cases, ITSI Best Practices, and More New Articles from Splunk Lantern

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Build Your First SPL2 App!

Watch the recording now!.Do you want to SPL™, too? SPL2, Splunk's next-generation data search and preparation ...