Splunk Search

How to compare last value and the second last value if they are non-numeric

massumtaqi
New Member

I want to get notified every time when an account expiry date is removed from Active directory and set to Never

"Account_Expires" is the field name that is changing in the logs.

For example:

Last value of "Account_Expires" is set to never
second last value of "Account_Expires" is set to " 01/01/2020"

How do I compare them to get my result?

0 Karma

woodcock
Esteemed Legend

You can do it like this:

Your Core Search
| eventstats dc(Account_Expires) AS expirations BY host plus mabye other values here
| where expirations > 1
0 Karma

massumtaqi
New Member

No , Didnt work. Is there any way i can compare the date format with string?

Because if the date of an account to expire was 10/01/2019 and changed to never. I can check the formats of these two values to get my results.

if last value was date (10/01/2019) and new value is string (never). How do i check that?

0 Karma

woodcock
Esteemed Legend

The distance to never and any point in time is undefined; the distance between infinity and any point of time is infinity.

0 Karma

massumtaqi
New Member

Then what do i write that tells me when an account expiry date from AD is changed from a certain date to never?

0 Karma

massumtaqi
New Member

How do i compare last and second last non numeric value anyways? I know delta is used for numeric.

If I cannot compare these two non numeric values, what do i write in the search that tells me that the user account expiry date is changed from a certain date to never?

0 Karma
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

Splunk is officially part of Cisco

Revolutionizing how our customers build resilience across their entire digital footprint.   Splunk ...

Splunk APM & RUM | Planned Maintenance March 26 - March 28, 2024

There will be planned maintenance for Splunk APM and RUM between March 26, 2024 and March 28, 2024 as ...