Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to edit my search with IF/THEN logic to display usernames existing on a host for a given time range?

king2jd
Path Finder
‎12-13-2016 01:06 PM

Here is my search: 

| set diff [search index=os_nix sourcetype="Unix:UserAccounts" earliest =-90d@d latest=-30d@d host="su-ecom*" | stats count by host,user | eval ReportKey=">30 Days"][search index=os_nix sourcetype="Unix:UserAccounts" earliest=-1d@d latest=now host="su-ecom*"| stats count by host,user | eval ReportKey="24 Hours"] | table host,user,count,ReportKey

This returns two search results. The first shows all the usernames that existed on a host 30 days ago, and the second search shows the usernames that exist 24 hours ago. I am trying to only display results ONLY IF:

A. The Usernames existed 30 days, ago but didn't exist within 24 hours (meaning they were deleted) OR
B. The usernames existed within 24 hours and didn't exist 30 days ago (meaning they were recently created)

Been struggling through this and figured i would look to the community for help.

Much appreciated!

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎12-13-2016 01:21 PM

Try this

For A

index=os_nix sourcetype="Unix:UserAccounts" earliest =-90d@d latest=-30d@d host="su-ecom*" | stats count by host,user | eval ReportKey=">30 Days" | append [search index=os_nix sourcetype="Unix:UserAccounts" earliest=-1d@d latest=now host="su-ecom*"| stats count by host,user | eval ReportKey="24 Hours"] | stats values(ReportKey) as ReportKey by host,user
| where mvcount(ReportKey)=1 AND ReportKey=">30 Days"

For B

index=os_nix sourcetype="Unix:UserAccounts" earliest =-90d@d latest=-30d@d host="su-ecom*" | stats count by host,user | eval ReportKey=">30 Days" | append [search index=os_nix sourcetype="Unix:UserAccounts" earliest=-1d@d latest=now host="su-ecom*"| stats count by host,user | eval ReportKey="24 Hours"] | stats values(ReportKey) as ReportKey by host,user
| where mvcount(ReportKey)=1 AND ReportKey="24 Hours"

View solution in original post

Reply
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎12-13-2016 01:21 PM

Try this

For A

index=os_nix sourcetype="Unix:UserAccounts" earliest =-90d@d latest=-30d@d host="su-ecom*" | stats count by host,user | eval ReportKey=">30 Days" | append [search index=os_nix sourcetype="Unix:UserAccounts" earliest=-1d@d latest=now host="su-ecom*"| stats count by host,user | eval ReportKey="24 Hours"] | stats values(ReportKey) as ReportKey by host,user
| where mvcount(ReportKey)=1 AND ReportKey=">30 Days"

For B

index=os_nix sourcetype="Unix:UserAccounts" earliest =-90d@d latest=-30d@d host="su-ecom*" | stats count by host,user | eval ReportKey=">30 Days" | append [search index=os_nix sourcetype="Unix:UserAccounts" earliest=-1d@d latest=now host="su-ecom*"| stats count by host,user | eval ReportKey="24 Hours"] | stats values(ReportKey) as ReportKey by host,user
| where mvcount(ReportKey)=1 AND ReportKey="24 Hours"
Reply
Solved! Jump to solution

king2jd
Path Finder
‎12-13-2016 04:13 PM

Thank you for your help! So the search A will show all the users that were not seen within 24 hours but seen 30 days ago, while search B shows the users that were seen within 24 hours and NOT > 30 days ago?

0 Karma
Reply
Solved! Jump to solution

somesoni2
Revered Legend
‎12-13-2016 06:06 PM

That is correct.

Reply
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...