Splunk Search
Highlighted

How to compare last value and the second last value if they are non-numeric

New Member

I want to get notified every time when an account expiry date is removed from Active directory and set to Never

"Account_Expires" is the field name that is changing in the logs.

For example:

Last value of "AccountExpires" is set to never
second last value of "Account
Expires" is set to " 01/01/2020"

How do I compare them to get my result?

0 Karma
Highlighted

Re: How to compare last value and the second last value if they are non-numeric

Esteemed Legend

The distance to never and any point in time is undefined; the distance between infinity and any point of time is infinity.

0 Karma
Highlighted

Re: How to compare last value and the second last value if they are non-numeric

New Member

How do i compare last and second last non numeric value anyways? I know delta is used for numeric.

If I cannot compare these two non numeric values, what do i write in the search that tells me that the user account expiry date is changed from a certain date to never?

0 Karma
Highlighted

Re: How to compare last value and the second last value if they are non-numeric

New Member

Then what do i write that tells me when an account expiry date from AD is changed from a certain date to never?

0 Karma
Highlighted

Re: How to compare last value and the second last value if they are non-numeric

Esteemed Legend

You can do it like this:

Your Core Search
| eventstats dc(Account_Expires) AS expirations BY host plus mabye other values here
| where expirations > 1
0 Karma
Highlighted

Re: How to compare last value and the second last value if they are non-numeric

New Member

No , Didnt work. Is there any way i can compare the date format with string?

Because if the date of an account to expire was 10/01/2019 and changed to never. I can check the formats of these two values to get my results.

if last value was date (10/01/2019) and new value is string (never). How do i check that?

0 Karma