Splunk Search

How to pull events on status events based on time stamps

gregzee
New Member

When someone gets activated and deactivated this data is consolidated -- always.

My question is how can I separate this data based on timestamps?
If someone were to get deactivated then reactivated afterward,
how can I not include this in an input-look up?

I have a search that I am using but because I am running into false positives due to what I mentioned above, sometimes someone will get re-activated after deactivation and I need Splunk to differentiate after someone getting re-activated after deactivation is not an alert or an actionable offense.

What commands or other parts can I use?

Thank you.

Search:

index="AD" index="ADUser" eventType="SSO" OR eventType="start" | eval from="search" | append [| inputlookup users.csv | table users | eval from="lookup"] | stats values(from) as from by users | where mvcount(from)=2 AND from="lookup
0 Karma

to4kawa
Ultra Champion

When a someone gets activated and deactivated
How is the logs?

0 Karma
Get Updates on the Splunk Community!

Monitoring Postgres with OpenTelemetry

Behind every business-critical application, you’ll find databases. These behind-the-scenes stores power ...

Mastering Synthetic Browser Testing: Pro Tips to Keep Your Web App Running Smoothly

To start, if you're new to synthetic monitoring, I recommend exploring this synthetic monitoring overview. In ...

Splunk Edge Processor | Popular Use Cases to Get Started with Edge Processor

Splunk Edge Processor offers more efficient, flexible data transformation – helping you reduce noise, control ...