Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to pull events on status events based on time stamps

gregzee
New Member
‎03-10-2020 03:01 PM

When someone gets activated and deactivated this data is consolidated -- always.

My question is how can I separate this data based on timestamps?
If someone were to get deactivated then reactivated afterward,
how can I not include this in an input-look up?

I have a search that I am using but because I am running into false positives due to what I mentioned above, sometimes someone will get re-activated after deactivation and I need Splunk to differentiate after someone getting re-activated after deactivation is not an alert or an actionable offense.

What commands or other parts can I use?

Thank you.

Search:

index="AD" index="ADUser" eventType="SSO" OR eventType="start" | eval from="search" | append [| inputlookup users.csv | table users | eval from="lookup"] | stats values(from) as from by users | where mvcount(from)=2 AND from="lookup
0 Karma
Reply

to4kawa
Ultra Champion
‎03-11-2020 04:06 AM

When a someone gets activated and deactivated
How is the logs?

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...

Splunk Observability for AI

Don’t miss out on an exciting Tech Talk on Splunk Observability for AI!Discover how Splunk’s agentic AI ...

🔐 Trust at Every Hop: How mTLS in Splunk Enterprise 10.0 Makes Security Simpler

From Idea to Implementation: Why Splunk Built mTLS into Splunk Enterprise 10.0  mTLS wasn’t just a checkbox ...