Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to edit my search with IF/THEN logic to display usernames existing on a host for a given time range?

king2jd
Path Finder
‎12-13-2016 01:06 PM

Here is my search: 

| set diff [search index=os_nix sourcetype="Unix:UserAccounts" earliest =-90d@d latest=-30d@d host="su-ecom*" | stats count by host,user | eval ReportKey=">30 Days"][search index=os_nix sourcetype="Unix:UserAccounts" earliest=-1d@d latest=now host="su-ecom*"| stats count by host,user | eval ReportKey="24 Hours"] | table host,user,count,ReportKey

This returns two search results. The first shows all the usernames that existed on a host 30 days ago, and the second search shows the usernames that exist 24 hours ago. I am trying to only display results ONLY IF:

A. The Usernames existed 30 days, ago but didn't exist within 24 hours (meaning they were deleted) OR
B. The usernames existed within 24 hours and didn't exist 30 days ago (meaning they were recently created)

Been struggling through this and figured i would look to the community for help.

Much appreciated!

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎12-13-2016 01:21 PM

Try this

For A

index=os_nix sourcetype="Unix:UserAccounts" earliest =-90d@d latest=-30d@d host="su-ecom*" | stats count by host,user | eval ReportKey=">30 Days" | append [search index=os_nix sourcetype="Unix:UserAccounts" earliest=-1d@d latest=now host="su-ecom*"| stats count by host,user | eval ReportKey="24 Hours"] | stats values(ReportKey) as ReportKey by host,user
| where mvcount(ReportKey)=1 AND ReportKey=">30 Days"

For B

index=os_nix sourcetype="Unix:UserAccounts" earliest =-90d@d latest=-30d@d host="su-ecom*" | stats count by host,user | eval ReportKey=">30 Days" | append [search index=os_nix sourcetype="Unix:UserAccounts" earliest=-1d@d latest=now host="su-ecom*"| stats count by host,user | eval ReportKey="24 Hours"] | stats values(ReportKey) as ReportKey by host,user
| where mvcount(ReportKey)=1 AND ReportKey="24 Hours"

View solution in original post

Reply
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎12-13-2016 01:21 PM

Try this

For A

index=os_nix sourcetype="Unix:UserAccounts" earliest =-90d@d latest=-30d@d host="su-ecom*" | stats count by host,user | eval ReportKey=">30 Days" | append [search index=os_nix sourcetype="Unix:UserAccounts" earliest=-1d@d latest=now host="su-ecom*"| stats count by host,user | eval ReportKey="24 Hours"] | stats values(ReportKey) as ReportKey by host,user
| where mvcount(ReportKey)=1 AND ReportKey=">30 Days"

For B

index=os_nix sourcetype="Unix:UserAccounts" earliest =-90d@d latest=-30d@d host="su-ecom*" | stats count by host,user | eval ReportKey=">30 Days" | append [search index=os_nix sourcetype="Unix:UserAccounts" earliest=-1d@d latest=now host="su-ecom*"| stats count by host,user | eval ReportKey="24 Hours"] | stats values(ReportKey) as ReportKey by host,user
| where mvcount(ReportKey)=1 AND ReportKey="24 Hours"
Reply
Solved! Jump to solution

king2jd
Path Finder
‎12-13-2016 04:13 PM

Thank you for your help! So the search A will show all the users that were not seen within 24 hours but seen 30 days ago, while search B shows the users that were seen within 24 hours and NOT > 30 days ago?

0 Karma
Reply
Solved! Jump to solution

somesoni2
Revered Legend
‎12-13-2016 06:06 PM

That is correct.

Reply
Get Updates on the Splunk Community!

Developer Spotlight with Paul Stout

Welcome to our very first developer spotlight release series where we'll feature some awesome Splunk ...

State of Splunk Careers 2024: Maximizing Career Outcomes and the Continued Value of ...

For the past four years, Splunk has partnered with Enterprise Strategy Group to conduct a survey that gauges ...

Data-Driven Success: Splunk & Financial Services

Splunk streamlines the process of extracting insights from large volumes of data. In this fast-paced world, ...