Hey everyone,
Im trying to come up with a way to get a table stating that, a user was created in splunk had the "Require password change on first login" box checked,
is there any way to get that information?
Thanks in advanced
See if you have the following fields in your audit index:
index=audit action=create_user
You should see within the raw log the passwordState
field and the value should be along the lines of force password change. You can just rex that field out with this
| rex field=_raw "passwordState=(?<passwordState>[^\s]+)"
Then all you need to do from there is just table the fields:
| table _time, index, action, passwordState, *
See if you have the following fields in your audit index:
index=audit action=create_user
You should see within the raw log the passwordState
field and the value should be along the lines of force password change. You can just rex that field out with this
| rex field=_raw "passwordState=(?<passwordState>[^\s]+)"
Then all you need to do from there is just table the fields:
| table _time, index, action, passwordState, *
THANK YOUUUUUU, you just made worth my 4 hours looking for it
PS: the index is _audit not just audit