- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Search all the login events from a location
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Search all the login events from a location
Need to run a report where the user is supposed to work remotely for 110 days in any given 365 days. The 365 days is a rolling window. Within any 365 the user is supposed to work only 110 days. Can someone help me with the logic
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hey
search *login* earliest=-365d
| eval unique_date= date_mday +"/" + date_month
| stats count by unique_date, user
| stats count by user
| eval crossed_threshold=if(count>110,"True","False")
If the result of that search is greater than 110 for any user in a 365 days period, then he crossed your threshold.
Could this sketch be according to your needs?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
We are running the report every 30days so using a lookup to store all the remote logins. Can you modify the search based on that
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Sorry I'm not following now. Do you want to store the results of this search in a lookup? Or do you have a lookup with something else that you want to include in the search?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
We are not running the search for 365 days but every 30 days and sending the remaining days left within the 365 rolling window.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Ok so then just change the earliest time you are looking at it:
search *login* earliest=-30d
| eval unique_date= date_mday +"/" + date_month
| stats count by unique_date, user
| stats count by user
| eval crossed_threshold=if(count>110,"True","False")
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
But the user is allowed to work for 110 days within any given 365 days. And we run this report every 30 days to send them the remaining days that are left
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Sorry, I think I finally understood what you intend:
search *login* earliest=-365d
| eval unique_date= date_mday +"/" + date_month
| stats count by unique_date, user
| stats count by user
| eval remaining_days = 110-count
Let me know if that is what you want to send to the users
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Please let me know if the answer was useful for you. If it was, accept it and upvote. If not, give us more input so we can help you with that
ICYMI - Check out the latest releases of Splunk Edge Processor
Introducing the 2024 SplunkTrust!
Introducing the 2024 Splunk MVPs!
