Splunk Search

help on a query - password changed on first login on splunk

rsaude
Path Finder

Hey everyone,

Im trying to come up with a way to get a table stating that, a user was created in splunk had the "Require password change on first login" box checked,

is there any way to get that information?

Thanks in advanced

0 Karma
1 Solution

begleyj1
Path Finder

See if you have the following fields in your audit index:

index=audit action=create_user

You should see within the raw log the passwordState field and the value should be along the lines of force password change. You can just rex that field out with this

| rex field=_raw "passwordState=(?<passwordState>[^\s]+)"

Then all you need to do from there is just table the fields:

| table _time, index, action, passwordState, *

View solution in original post

begleyj1
Path Finder

See if you have the following fields in your audit index:

index=audit action=create_user

You should see within the raw log the passwordState field and the value should be along the lines of force password change. You can just rex that field out with this

| rex field=_raw "passwordState=(?<passwordState>[^\s]+)"

Then all you need to do from there is just table the fields:

| table _time, index, action, passwordState, *

rsaude
Path Finder

THANK YOUUUUUU, you just made worth my 4 hours looking for it

rsaude
Path Finder

PS: the index is _audit not just audit

Get Updates on the Splunk Community!

Registration for Splunk University is Now Open!

Are you ready for an adventure in learning?   Brace yourselves because Splunk University is back, and it's ...

Splunkbase | Splunk Dashboard Examples App for SimpleXML End of Life

The Splunk Dashboard Examples App for SimpleXML will reach end of support on Dec 19, 2024, after which no new ...

Understanding Generative AI Techniques and Their Application in Cybersecurity

Watch On-Demand Artificial intelligence is the talk of the town nowadays, with industries of all kinds ...