Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to compare last value and the second last value if they are non-numeric

massumtaqi
New Member
‎09-20-2019 01:23 PM

I want to get notified every time when an account expiry date is removed from Active directory and set to Never

"Account_Expires" is the field name that is changing in the logs.

For example:

Last value of "Account_Expires" is set to never
second last value of "Account_Expires" is set to " 01/01/2020"

How do I compare them to get my result?

0 Karma
Reply

woodcock
Esteemed Legend
‎09-21-2019 07:39 AM

You can do it like this:

Your Core Search
| eventstats dc(Account_Expires) AS expirations BY host plus mabye other values here
| where expirations > 1
0 Karma
Reply

massumtaqi
New Member
‎09-25-2019 11:02 AM

No , Didnt work. Is there any way i can compare the date format with string?

Because if the date of an account to expire was 10/01/2019 and changed to never. I can check the formats of these two values to get my results.

if last value was date (10/01/2019) and new value is string (never). How do i check that?

0 Karma
Reply

woodcock
Esteemed Legend
‎09-20-2019 01:51 PM

The distance to never and any point in time is undefined; the distance between infinity and any point of time is infinity.

0 Karma
Reply

massumtaqi
New Member
‎09-20-2019 04:50 PM

Then what do i write that tells me when an account expiry date from AD is changed from a certain date to never?

0 Karma
Reply

massumtaqi
New Member
‎09-20-2019 04:42 PM

How do i compare last and second last non numeric value anyways? I know delta is used for numeric.

If I cannot compare these two non numeric values, what do i write in the search that tells me that the user account expiry date is changed from a certain date to never?

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Observability as Code: From Zero to Dashboard

For the details on what Self-Service Observability and Observability as Code is, we have some awesome content ...

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Shape the Future of Splunk: Join the Product Research Lab!

Join the Splunk Product Research Lab and connect with us in the Slack channel #product-research-lab to get ...