Splunk Search
Highlighted

How to edit my search to extract Splunk user accounts and the dates they were created?

Motivator

Hi, I wonder whether someone may be able to help me please.

I'm using the search below to extract the date when Splunk user accounts have been created:

index=_audit action=edit_user operation=create
|rename object as user
|eval timestamp=strptime(timestamp, "%m-%d-%Y %H:%M:%S.%3N") 
|convert timeformat="%d/%b/%Y" ctime(timestamp)
|table user timestamp

I'm then using the search below to extract a list of all user accounts:

 |rest /services/authentication/users splunk_server=local 
 |fields realname
 |rename realname as user
 |table user

What I'd like to do is display a list of all user accounts and if they have been created within a chosen time range with the date next to them.

So I've then tried to combine the two using the search below:

index=_audit action=edit_user operation=create
|fields object
|rename object as user
|eval timestamp=strptime(timestamp, "%m-%d-%Y %H:%M:%S.%3N") 
|convert timeformat="%d/%b/%Y" ctime(timestamp)
       |join user[search |rest /services/authentication/users splunk_server=local 
       |fields realname
       |rename realname as user
        |table user]
|table user timestamp

The problem I have is that when I run this I receive the following error:

Error in 'rest' command: This command must be the first command of a search.

I just wondered whether someone may be able to look at this please and let me know how I can get around this.

Many thanks and kind regards

Chris

0 Karma
Highlighted

Re: How to edit my search to extract Splunk user accounts and the dates they were created?

SplunkTrust
SplunkTrust

Hello Chris,

Please remove the search just before the |rest from subsearch. Ie

Your searcch |join user [|rest /services/authentication/users splunk_server=local  rest of your search
Highlighted

Re: How to edit my search to extract Splunk user accounts and the dates they were created?

Motivator

Hi thank you for coming back to me with this.

I've removed the search but it is not creating the list of accounts the the dates if they were set up in the given time period.

It is also not displaying the full list of dates against the user names for accounts I know were created in my given time range.

It's almost as if the subsearch is not being run.

Many thanks and kind regards

Chris

0 Karma
Highlighted

Re: How to edit my search to extract Splunk user accounts and the dates they were created?

SplunkTrust
SplunkTrust

Hi Chris,

  • Are you getting result for the search |rest /services/authentication/users splunk_server=local ?
  • Are you getting the result for the search index=_audit action=edit_user operation=create ?
  • Also you might need to use title from rest as user instead of realname
0 Karma
Highlighted

Re: How to edit my search to extract Splunk user accounts and the dates they were created?

Motivator

Hi thank you for coming back to me and my apologies for not coming back to you sooner.

Although I've had to raise another ticket to ask for someone to check my logic, I think I may have solved this with the query as shown in the answer section.

Kind regards

Chris

0 Karma
Highlighted

Re: How to edit my search to extract Splunk user accounts and the dates they were created?

Super Champion

Have you considered using rest to create a lookup table for your users, and then use the lookup table in your base search, instead of rest?

Highlighted

Re: How to edit my search to extract Splunk user accounts and the dates they were created?

Motivator

Hi, thank you for replying.

To be honest I hadn't thought about using a lookup table. May be this is an option I could look into.

Many thanks for the suggestion and kind regards

Chris

0 Karma
Highlighted

Re: How to edit my search to extract Splunk user accounts and the dates they were created?

Motivator

Hi all,

Thank you for taking the time to look at my post and for the help, but I have been able to solve this as follows:

|rest /services/authentication/users splunk_server=local 
|fields title
|rename title as user
| join user type=left [
    | search index=_audit action="login attempt" earliest=-12mon
    | stats max(timestamp) as _time by user, sourcetype
 ]
 | where isnull(sourcetype)
 | fields - sourcetype
|join user type=outer [
    search index=_audit action=edit_user operation=edit earliest=0
    |rename object as user
    |eval timestamp=strptime(timestamp, "%m-%d-%Y %H:%M:%S.%3N") 
    |convert timeformat="%d/%b/%Y" ctime(timestamp)
    |stats min(timestamp) as "created" by user
]

Kind Regards

Chris

View solution in original post

0 Karma