Hi, I wonder whether someone may be able to help me please.
I'm using the search below to extract the date when Splunk user accounts have been created:
index=_audit action=edit_user operation=create |rename object as user |eval timestamp=strptime(timestamp, "%m-%d-%Y %H:%M:%S.%3N") |convert timeformat="%d/%b/%Y" ctime(timestamp) |table user timestamp
I'm then using the search below to extract a list of all user accounts:
|rest /services/authentication/users splunk_server=local |fields realname |rename realname as user |table user
What I'd like to do is display a list of all user accounts and if they have been created within a chosen time range with the date next to them.
So I've then tried to combine the two using the search below:
index=_audit action=edit_user operation=create |fields object |rename object as user |eval timestamp=strptime(timestamp, "%m-%d-%Y %H:%M:%S.%3N") |convert timeformat="%d/%b/%Y" ctime(timestamp) |join user[search |rest /services/authentication/users splunk_server=local |fields realname |rename realname as user |table user] |table user timestamp
The problem I have is that when I run this I receive the following error:
Error in 'rest' command: This command must be the first command of a search.
I just wondered whether someone may be able to look at this please and let me know how I can get around this.
Many thanks and kind regards
Please remove the
search just before the |rest from subsearch. Ie
Your searcch |join user [|rest /services/authentication/users splunk_server=local rest of your search
Hi thank you for coming back to me with this.
I've removed the search but it is not creating the list of accounts the the dates if they were set up in the given time period.
It is also not displaying the full list of dates against the user names for accounts I know were created in my given time range.
It's almost as if the subsearch is not being run.
Many thanks and kind regards
|rest /services/authentication/users splunk_server=local?
index=_audit action=edit_user operation=create?
titlefrom rest as user instead of
Hi thank you for coming back to me and my apologies for not coming back to you sooner.
Although I've had to raise another ticket to ask for someone to check my logic, I think I may have solved this with the query as shown in the answer section.
Have you considered using rest to create a lookup table for your users, and then use the lookup table in your base search, instead of rest?
Hi, thank you for replying.
To be honest I hadn't thought about using a lookup table. May be this is an option I could look into.
Many thanks for the suggestion and kind regards
Thank you for taking the time to look at my post and for the help, but I have been able to solve this as follows:
|rest /services/authentication/users splunk_server=local |fields title |rename title as user | join user type=left [ | search index=_audit action="login attempt" earliest=-12mon | stats max(timestamp) as _time by user, sourcetype ] | where isnull(sourcetype) | fields - sourcetype |join user type=outer [ search index=_audit action=edit_user operation=edit earliest=0 |rename object as user |eval timestamp=strptime(timestamp, "%m-%d-%Y %H:%M:%S.%3N") |convert timeformat="%d/%b/%Y" ctime(timestamp) |stats min(timestamp) as "created" by user ]