- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How to edit my search to extract Splunk user accou...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi, I wonder whether someone may be able to help me please.
I'm using the search below to extract the date when Splunk user accounts have been created:
index=_audit action=edit_user operation=create
|rename object as user
|eval timestamp=strptime(timestamp, "%m-%d-%Y %H:%M:%S.%3N")
|convert timeformat="%d/%b/%Y" ctime(timestamp)
|table user timestamp
I'm then using the search below to extract a list of all user accounts:
|rest /services/authentication/users splunk_server=local
|fields realname
|rename realname as user
|table user
What I'd like to do is display a list of all user accounts and if they have been created within a chosen time range with the date next to them.
So I've then tried to combine the two using the search below:
index=_audit action=edit_user operation=create
|fields object
|rename object as user
|eval timestamp=strptime(timestamp, "%m-%d-%Y %H:%M:%S.%3N")
|convert timeformat="%d/%b/%Y" ctime(timestamp)
|join user[search |rest /services/authentication/users splunk_server=local
|fields realname
|rename realname as user
|table user]
|table user timestamp
The problem I have is that when I run this I receive the following error:
Error in 'rest' command: This command must be the first command of a search.
I just wondered whether someone may be able to look at this please and let me know how I can get around this.
Many thanks and kind regards
Chris
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi all,
Thank you for taking the time to look at my post and for the help, but I have been able to solve this as follows:
|rest /services/authentication/users splunk_server=local
|fields title
|rename title as user
| join user type=left [
| search index=_audit action="login attempt" earliest=-12mon
| stats max(timestamp) as _time by user, sourcetype
]
| where isnull(sourcetype)
| fields - sourcetype
|join user type=outer [
search index=_audit action=edit_user operation=edit earliest=0
|rename object as user
|eval timestamp=strptime(timestamp, "%m-%d-%Y %H:%M:%S.%3N")
|convert timeformat="%d/%b/%Y" ctime(timestamp)
|stats min(timestamp) as "created" by user
]
Kind Regards
Chris
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi all,
Thank you for taking the time to look at my post and for the help, but I have been able to solve this as follows:
|rest /services/authentication/users splunk_server=local
|fields title
|rename title as user
| join user type=left [
| search index=_audit action="login attempt" earliest=-12mon
| stats max(timestamp) as _time by user, sourcetype
]
| where isnull(sourcetype)
| fields - sourcetype
|join user type=outer [
search index=_audit action=edit_user operation=edit earliest=0
|rename object as user
|eval timestamp=strptime(timestamp, "%m-%d-%Y %H:%M:%S.%3N")
|convert timeformat="%d/%b/%Y" ctime(timestamp)
|stats min(timestamp) as "created" by user
]
Kind Regards
Chris
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Have you considered using rest to create a lookup table for your users, and then use the lookup table in your base search, instead of rest?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi, thank you for replying.
To be honest I hadn't thought about using a lookup table. May be this is an option I could look into.
Many thanks for the suggestion and kind regards
Chris
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello Chris,
Please remove the search just before the |rest from subsearch. Ie
Your searcch |join user [|rest /services/authentication/users splunk_server=local rest of your search
What goes around comes around. If it helps, hit it with Karma 🙂
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi thank you for coming back to me with this.
I've removed the search but it is not creating the list of accounts the the dates if they were set up in the given time period.
It is also not displaying the full list of dates against the user names for accounts I know were created in my given time range.
It's almost as if the subsearch is not being run.
Many thanks and kind regards
Chris
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Chris,
- Are you getting result for the search
|rest /services/authentication/users splunk_server=local? - Are you getting the result for the search
index=_audit action=edit_user operation=create? - Also you might need to use
titlefrom rest as user instead ofrealname
What goes around comes around. If it helps, hit it with Karma 🙂
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi thank you for coming back to me and my apologies for not coming back to you sooner.
Although I've had to raise another ticket to ask for someone to check my logic, I think I may have solved this with the query as shown in the answer section.
Kind regards
Chris
Splunk AI Assistant for SPL | Key Use Cases to Unlock the Power of SPL
Buttercup Games: Further Dashboarding Techniques (Part 5)
Customers Increasingly Choose Splunk for Observability
