Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Splunk Search
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How to edit my search with IF/THEN logic to displa...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
king2jd
Path Finder
12-13-2016
01:06 PM
Here is my search:
| set diff [search index=os_nix sourcetype="Unix:UserAccounts" earliest =-90d@d latest=-30d@d host="su-ecom*" | stats count by host,user | eval ReportKey=">30 Days"][search index=os_nix sourcetype="Unix:UserAccounts" earliest=-1d@d latest=now host="su-ecom*"| stats count by host,user | eval ReportKey="24 Hours"] | table host,user,count,ReportKey
This returns two search results. The first shows all the usernames that existed on a host 30 days ago, and the second search shows the usernames that exist 24 hours ago. I am trying to only display results ONLY IF:
A. The Usernames existed 30 days, ago but didn't exist within 24 hours (meaning they were deleted) OR
B. The usernames existed within 24 hours and didn't exist 30 days ago (meaning they were recently created)
Been struggling through this and figured i would look to the community for help.
Much appreciated!
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
somesoni2
Revered Legend
12-13-2016
01:21 PM
Try this
For A
index=os_nix sourcetype="Unix:UserAccounts" earliest =-90d@d latest=-30d@d host="su-ecom*" | stats count by host,user | eval ReportKey=">30 Days" | append [search index=os_nix sourcetype="Unix:UserAccounts" earliest=-1d@d latest=now host="su-ecom*"| stats count by host,user | eval ReportKey="24 Hours"] | stats values(ReportKey) as ReportKey by host,user
| where mvcount(ReportKey)=1 AND ReportKey=">30 Days"
For B
index=os_nix sourcetype="Unix:UserAccounts" earliest =-90d@d latest=-30d@d host="su-ecom*" | stats count by host,user | eval ReportKey=">30 Days" | append [search index=os_nix sourcetype="Unix:UserAccounts" earliest=-1d@d latest=now host="su-ecom*"| stats count by host,user | eval ReportKey="24 Hours"] | stats values(ReportKey) as ReportKey by host,user
| where mvcount(ReportKey)=1 AND ReportKey="24 Hours"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
somesoni2
Revered Legend
12-13-2016
01:21 PM
Try this
For A
index=os_nix sourcetype="Unix:UserAccounts" earliest =-90d@d latest=-30d@d host="su-ecom*" | stats count by host,user | eval ReportKey=">30 Days" | append [search index=os_nix sourcetype="Unix:UserAccounts" earliest=-1d@d latest=now host="su-ecom*"| stats count by host,user | eval ReportKey="24 Hours"] | stats values(ReportKey) as ReportKey by host,user
| where mvcount(ReportKey)=1 AND ReportKey=">30 Days"
For B
index=os_nix sourcetype="Unix:UserAccounts" earliest =-90d@d latest=-30d@d host="su-ecom*" | stats count by host,user | eval ReportKey=">30 Days" | append [search index=os_nix sourcetype="Unix:UserAccounts" earliest=-1d@d latest=now host="su-ecom*"| stats count by host,user | eval ReportKey="24 Hours"] | stats values(ReportKey) as ReportKey by host,user
| where mvcount(ReportKey)=1 AND ReportKey="24 Hours"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
king2jd
Path Finder
12-13-2016
04:13 PM
Thank you for your help! So the search A will show all the users that were not seen within 24 hours but seen 30 days ago, while search B shows the users that were seen within 24 hours and NOT > 30 days ago?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
somesoni2
Revered Legend
12-13-2016
06:06 PM
That is correct.
Get Updates on the Splunk Community!
Observe and Secure All Apps with Splunk
Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...
Splunk Decoded: Business Transactions vs Business IQ
It’s the morning of Black Friday, and your e-commerce site is handling 10x normal traffic. Orders are flowing, ...
Fastest way to demo Observability
I’ve been having a lot of fun learning about Kubernetes and Observability. I set myself an interesting ...
