Hi All,
I was working on a case where i have 2 fields extracted as "actordisplayName" & "targetUser" in the same raw log.
actordisplayName - who initiated the change, targetUser - to which user it was changed.
index=something displayMes="User update password"
| where actordisplayName!= targetUser
| table _time user, displayMes, actordisplayName, targetUser outcome.result
Running this for 30 days
Requirement: I need to search only for users where actordisplayName & targetUser is not same.
Eg: I want only the results for my admin/someone who has done password reset for me, I don't want the results for me resetting the passwords for my account. In short i need results for where actordisplayName & targetUser is not same.
Fixed!
Thanks for the help
Resolution:
index=something displayMes="User update password"
| where 'actordisplayName'!='targetUser'
| table _time user, displayMes, actordisplayName, targetUser outcome.result
Fixed!
Thanks for the help
Resolution:
index=something displayMes="User update password"
| where 'actordisplayName'!='targetUser'
| table _time user, displayMes, actordisplayName, targetUser outcome.result
I don't see any results when i use "| where actordisplayName!= targetUser", maybe because some or other day between 30 days the actordisplayName would be the targetUser.
Your query is not doing any summarization, so it should be fetching all rows where password has changed and your query should work just fine. Just remove the where clause and see if you can manually find a record where they're different.
yes, I did find the results using
index=something displayMes="User update password"
| table _time user, displayMes, actordisplayName, targetUser outcome.result
that is why i wanted to remove where actordisplayName!=targetUser & see but that's not working.
When you run the query without the where clause, can you see any event where actordisplayName is not the same as targetUser?
I can think of two reasons why the where clause would return no results:
1) Every user is changing his own password
2) The user names in the two fields are in different formats (with and without domain name, for instance).
Again I ask, Can you share some sanitized results?
How is that query failing to meet the requirements? Can you share some sanitized results?