![]() | join Scope, Module, EnterpriseID type=inner I believe the below search would accomplish that to produce the table you listed out: | inputlookup hierarchy_lookup.csv [| rest /services/authentication/current-contextĪs for the second part, the request is to have a table automatically display the same scope and model for all users that share the Scope and Module as that user. Can you give this a try to see if this produces the same table as your first screen shot? | inputlookup hierarchy_lookup.csv Without having an equivalent lookup to play with, I found a couple syntax issues with the first part of search you wrote. Logistica DWH EnterpriseID (line 7 of lookup) 1 Logistica BW EnterpriseID (line 6 of lookup) 1 Logistica BW EnterpriseID (line 3 of lookup) 1 Logistica BW myEnterpriseID (line 5 of lookup) 1 Logistica DWH myEnterpriseID (line 4 of lookup) 1 In this case, I would like that my query return | where [| rest /services/authentication/current-context I have tried to generate the query, but it is not working very well. I need to view all EnterpriseID that have my same Module and Scope. In my case for example (line 4 & 5), I have two module (DWH and BW). I would like to create a dashboard that, in the multiselect list view, the EnterpriseID presents in the lookup file that has a common field (Scope, Module) of the current user logged into Splunk. If possible, please suggest perhaps a more efficient way of writing this, if indeed there is one.I created a lookup file (hierarchy_lookup.csv) with this layout I'm not sure whether my logic is correct, so I'd like if at all possible please for someone with a 'fresh pair of eyes' to look at this please and check my logic. The problem I have is that it doesn't insert a date of account created against all the names, only some, and this seems to be because it is using the 'timepicker' date in the search panel rather than the hardcoded date. I have set the earliest time to zero to capture this information from the beginning of time. |stats min(timestamp) as "created" by user Search index=_audit action=edit_user operation=edit earliest=0 ![]() | stats max(timestamp) as _time by user, sourcetype | search index=_audit action="login attempt" earliest=-12mon I have then joined them together: |rest /services/authentication/users splunk_server=local |stats min(timestamp) as "Date Account Created" by user index=_audit action=edit_user operation=edit earliest=0 I have then set up my third search which extracts when the users account was created or amended. |stats max(timestamp) as "Last Date Account Accessed" by user |convert timeformat="%d/%b/%Y" ctime(timestamp) I have then set the second search which highlights the accounts where the user hasn't logged on within the last 12 months: index=_audit action="login attempt" earliest=-12mon ![]() I have set the first search which searches for all user accounts: |rest /services/authentication/users splunk_server=local
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |