- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Display deleted events between 2 scheduled searche...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi All,
Hoping you can help me out here.
I have a ps input indexing daily AD computer objects to Splunk. The scripted input is set to execute daily. Output is in the following manner :
2014/04/29 11:46:39 ServerName="am-dc02" ADSPath="CN=am-dc02,OU=Domain Controllers,DC=ads,DC=contoso,DC=com" Created="04/28/2014 12:34:36"
2014/04/29 11:46:39 ServerName="am-dc01" ADSPath="CN=am-dc01,OU=Domain Controllers,DC=ads,DC=contoso,DC=com" Created="04/28/2014 12:34:01"
I am having difficulties displaying AD Computer objects that got deleted in the last 1 day, last 7 days and last 30 days period.
For eg if the search that ran yesterday indexed 2 AD computer objects and the next run of the scripted input indexed only 1 AD computer obj :
2014/04/29 11:46:39 ServerName="am-dc01" ADSPath="CN=am-dc01,OU=Domain Controllers,DC=ads,DC=contoso,DC=com" Created="04/28/2014 12:34:01"
How do I list the AD computer object that got deleted when the scripted input ran today ? As I am not including isDeleted AD object property, I have to rely on the time stamp that is written at the start of each event in the output. This is the logic i am using while building the search.
I search for current time - 1 day and get the results displayed. Then I make a sub search for displaying the results of the current day. Then I am using the diff command to get the results. however that does not work at all. Can somebody please help me ? THank you.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try this
AD objects deleted in last 1 day
...your base search... earliest=-1d@d latest=@d NOT [search ...your base search...earliest=@d | stats count by ServerName,ADSPath | table ServerName,ADSPath | format]
This should give you all the AD groups that were present yesterday but not today.
Similarly change the earliest to "-7d@d" and "-30d@d" in the base search (not subsearch) to get object that were present in last 7days/30 days but not today.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try this
AD objects deleted in last 1 day
...your base search... earliest=-1d@d latest=@d NOT [search ...your base search...earliest=@d | stats count by ServerName,ADSPath | table ServerName,ADSPath | format]
This should give you all the AD groups that were present yesterday but not today.
Similarly change the earliest to "-7d@d" and "-30d@d" in the base search (not subsearch) to get object that were present in last 7days/30 days but not today.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks Soni,
This search of yours works. Its just a bit slow to disaply results, but that would be coz the query making 2 searches against 2 different time frames.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Couldn't you do this? The following example is for a single day.
yoursearchhere earliest=-1d@d
| stats count by ServerName
| where count < 2
For an arbitrary number of days, this might be better:
yoursearchhere
| stats count range(_time) as range earliest(_time) as firstSeenOn latest(_time) as lastSeenOn by ServerName
| eval numDays = round(range/86400,0)
| where count < numDays
| table ServerName firstSeenOn lastSeenOn
or even
yoursearchhere
| stats latest(_time) as lastSeenOn by ServerName
| eval lastSeenOn = relative_time(lastSeenOn,"@d")
| eval today = relative_time(now(),"@d")
| where lastSeenOn < today
| fields - today
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Or remove the where commands and see what you get
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
What search are you using? Also, what do you see if you enter
yoursearchhere
| table _time ServerName
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks for you reply.
However none of these searches display any results. It says there are few matching events, but it does not display the results. I tried breaking up the search strings you provided but I am unable to figure out why the search does not return any results.
Routing logs with Splunk OTel Collector for Kubernetes
Welcome to the Splunk Community!
Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM
