Corrected Code index=tenable (module=auth message="*login*") OR (module=user (message="*modified*password*" OR message="*created user*")) | rex field=message "\[(?'usr'.*?)\].*\[(?'usr_mod'.*?)\]" | transaction startswith="created user" endswith="*modified*password*" | where eventcount=3 AND usr=usr_mod | stats values(user) as AllUsers, values(usr_mod) as ModifiedUsers | stats values(*) as * by AllUsers | eval check = if(match(ModifiedUsers,"^".AllUsers."$"),1,0) | stats values(eval(if(check=0,AllUsers,NULL))) as AllUsers ... View more

@to4kawa you had it praticly right, with a few erros, index=tenable (module=auth message="*login*") OR (module=user (message="*modified*password*" OR message="*created user*")) | rex field=message "\[(?'usr'.*?)\].*\[(?'usr_mod'.*?)\]" | transaction startswith="created user" endswith="*modified*password*" | where eventcount=3 AND usr=usr_mod | stats values(user) as AllUsers, values(usr_mod) as ModifiedUsers | stats values(*) as * by AllUsers | eval check = if(match(ModifiedUsers,"^".AllUsers."$"),1,0) | stats values(eval(if(check=0,AllUsers,NULL))) as AllUsers You had modefied and it was modified missing " at the end of the first and second line where is missing an AND between the conditions fix it so that i can call it an Correct awnser plss Btw tyy ... View more

that can't be the case, because i need to have exactly 3 events in this order, one that is the creation of the account, other that is login and the last is the password reset. so i used transaction ... View more

yes they both have it ... View more

https://imgur.com/lv3cTnu ... View more

my final purpose is to get the diference between all users that logged in and the users that changed their passwords on first login, just to check who didnt changed it on the first login. ... View more

there are 3 fields, user, usr and usr_mod, they do not have the same values ... View more

i can't seem to change the question so i'll post it on the comments: Here is the full query: index=xxx (module=auth message="login") OR (module=user (message="modified*password" OR message="created user")) | rex field=message "[(?'usr'.?)].[(?'usr_mod'.?)]" | transaction startswith="created user" endswith="*modified*password" | where eventcount=3 AND usr=usr_mod | stats values(user) as AllUsers, values(usr_mod) as ModifiedUsers ... View more

My bad, i got it to work with the full makeresult but i cant work it with my own, i'm gonna edit the original post and post the full query, there might be something wrong with the original query ... View more

I couldn't get this code to work with only the logic or with the full code... ... View more

PS: the index is _audit not just audit ... View more

THANK YOUUUUUU, you just made worth my 4 hours looking for it ... View more

It's not 100% correct since it wasn't in a log but since i got it to work i'll call it a win. ... View more

I managed to get it working for me, but thank you for your help anyway ... View more

it did not work for me, there were users that appeared with no type (Probably because they no longer exist) ... View more

i feard that, in any case if anyone knows a work around feel free to share please ... View more

I have found it. for those who want https://www.splunk.com/pdfs/training/Splunk-Certification-Exam-Duration.pdf ... View more

if possible could you tell me what is/where i could find the time for each exam ... View more

thank you, its exactly what i was looking for. ... View more