How to generate a search to find when a user is cr...

wvalente · ‎07-24-2017

Hi,

I want to run a search that alert me when a user is created and deleted in a period of time between 72 hours and 4 hours.

Could anyone help me?

Tks.

DalJeanis · ‎07-24-2017

Are you talking about a splunk user, an Active Directory user, a local user on a windows machine, or something else?

for splunk users , search index=_audit object=<username>

this code from this page https://answers.splunk.com/answers/368373/when-was-the-user-account-created.html

 index=_audit action=edit_user operation=create
 |rename object as user
 |eval timestamp=strptime(timestamp, "%m-%d-%Y %H:%M:%S.%3N") 
 |convert timeformat="%d/%b/%Y" ctime(timestamp)
 |table user timestamp

You should be able to find any deletes the same way.

For windows users, see https://answers.splunk.com/answers/144190/account-creation-and-deletion-within-a-given-time.html

wvalente · ‎07-25-2017

Hi DlJeanis,

I'm talking about linux user.

I can use the 'windows user' query.

Tks for your support.

How to generate a search to find when a user is created and deleted in a period of time?

Index This | What is broken 80% of the time by February?

Unlock Faster Time-to-Value on Edge and Ingest Processor with New SPL2 Pipeline ...

Splunk MCP & Agentic AI: Machine Data Without Limits

Join the Conversation

How to generate a search to find when a user is created and deleted in a period of time?

Index This | What is broken 80% of the time by February?

Unlock Faster Time-to-Value on Edge and Ingest Processor with New SPL2 Pipeline ...

Splunk MCP & Agentic AI: Machine Data Without Limits