Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

JOIN to list user per DeviceId

davidcraven02
Communicator
‎05-15-2018 03:40 AM

Search is trying to show all users within the companyOu that have Mobile Iron setup (Status=Allowed) and those that do not (Mobile Iron not setup)

The below search is only showing one user listed but some users have more than one DeviceId configured. I can't work out why all DeviceId's are not showing for a user.

index=ad source=aduserscan 
| table samAccountName, companyOu, displayName 
| search samAccountName=*_cp companyOu=dacp.com 
| rename samAccountName as MailboxId 
| join type=left MailboxId 
    [ search index=msexchange source=otl_mobileiron MailboxId=*_cp 
    | dedup DeviceId 
    | search Retired="false" ] 
| rename companyOu as Company, MailboxId as "User ID", DeviceFriendlyName as Model, displayName as "Display Name", SyncStatus as Status 
| fillnull value="Mobile Iron not setup" Status 
| table Company, "User ID", "Display Name", "Status" DeviceId
| sort Company asc

alt text

Tags (2)
Preview file
1 KB
0 Karma
Reply

niketn
Legend
‎05-15-2018 06:59 AM

@davidcraven02, Can you try the following:

index=msexchange source=otl_mobileiron MailboxId=*_cp Retired="false" 
| dedup MailboxId DeviceId 
| rename MailboxId as samAccountName 
| join type=left samAccountName 
    [ search index=ad source=aduserscan samAccountName=*_cp companyOu=dacp.com 
    | dedup samAccountName, companyOu, displayName ] 
| rename companyOu as Company, samAccountName as "User ID", DeviceFriendlyName as Model, displayName as "Display Name", SyncStatus as Status 
| fillnull value="Mobile Iron not setup" Status 
| table Company, "User ID", "Display Name", "Status" DeviceId 
| sort Company asc

If this does not work, can you share example of which record from specific index does not show up? Mock/Anonymize sensitive data.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply

davidcraven02
Communicator
‎05-15-2018 07:27 AM

Thanks but this only returned 60 results whereas my original search returns 146 results.

I cant upload a screenshot but this search returned all users who have MobileIron (listing several DeviceId's per user) but it did not include those users who don't have it. The source aduserscan contains all users within the companyOu.

0 Karma
Reply

niketn
Legend
‎05-15-2018 07:56 AM

@davidcraven02 without having a look at some data values from events for the two sources, it would be difficult to come up with exact query, but can you try a different approach to check whether all Device IDs for various MailBoxIds show up

( index=msexchange source=otl_mobileiron MailboxId=*_cp Retired="false" ) OR (index=ad source=aduserscan samAccountName=*_cp companyOu=dacp.com)
| rename samAccountName as MailboxId 
| stats count values(DeviceId) as DeviceId by MailboxId
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply

davidcraven02
Communicator
‎05-15-2018 08:14 AM

This returned 146 results which is the total number of users for this company. However each MailboxId has a count of 1 and no DeviceId is displayed.

MailboxId count DeviceId
Haver_cp 1

dadams_cp 1

Forindex=msexchange source=otl_mobileiron MailboxId=*_cp Retired="false" the user field is called MailboxId not samAccountName.

And the user field for index=ad source=aduserscanis called samAccountName

( index=msexchange source=otl_mobileiron MailboxId=*_cp Retired="false" )
      | stats count values(DeviceId) as DeviceId by MailboxId

When I search the above I get the below data

MailboxId   count   DeviceId
abon_cp          1         nine54011c5277ab
acavez_cp   1         ninebe03364cd694
acori_cp            1        iqj4udgc1h1q31j8vik9vceflo
akura_cp    1        rbmm3dea9d45v2kbt1rs36a7ok
aruma_cp    2        e53fd31687aa1ae3
                                     ninea8a1b3156df0
0 Karma
Reply

niketn
Legend
‎05-15-2018 09:17 AM

@davidcraven02, give the following a try, see whether matches for MailboxIds are coming from both sources otl_mobileiron and aduserscan or not.

( index=msexchange source=otl_mobileiron MailboxId=*_cp Retired="false" ) OR (index=ad source=aduserscan samAccountName=*_cp companyOu=dacp.com)
 | eval MailboxId=coalesce(MailboxId,samAccountName)
 | stats count values(source) as source  values(DeviceId) as DeviceId by MailboxId
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply

mayurr98
Super Champion
‎05-15-2018 05:39 AM

can you try this?

index=ad source=aduserscan samAccountName=*_cp companyOu=dacp.com 
| stats count by samAccountName, companyOu, displayName 
| rename samAccountName as MailboxId 
| join type=left MailboxId 
    [ search index=msexchange source=otl_mobileiron MailboxId=*_cp Retired="false" 
    | dedup MailboxId DeviceId] 
| rename companyOu as Company, MailboxId as "User ID", DeviceFriendlyName as Model, displayName as "Display Name", SyncStatus as Status 
| fillnull value="Mobile Iron not setup" Status 
| table Company, "User ID", "Display Name", "Status" DeviceId 
| sort Company asc
0 Karma
Reply

davidcraven02
Communicator
‎05-15-2018 06:45 AM

Thanks but this is gives the same number of results only a more efficient way to run it.

0 Karma
Reply
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...

New in Observability Cloud - Explicit Bucket Histograms

Splunk introduces native support for histograms as a metric data type within Observability Cloud with Explicit ...