Re: How to compare last value and the second last ...

massumtaqi · ‎09-20-2019

I want to get notified every time when an account expiry date is removed from Active directory and set to Never

"Account_Expires" is the field name that is changing in the logs.

For example:

Last value of "Account_Expires" is set to never
second last value of "Account_Expires" is set to " 01/01/2020"

How do I compare them to get my result?

woodcock · ‎09-21-2019

You can do it like this:

Your Core Search
| eventstats dc(Account_Expires) AS expirations BY host plus mabye other values here
| where expirations > 1

massumtaqi · ‎09-25-2019

No , Didnt work. Is there any way i can compare the date format with string?

Because if the date of an account to expire was 10/01/2019 and changed to never. I can check the formats of these two values to get my results.

if last value was date (10/01/2019) and new value is string (never). How do i check that?

woodcock · ‎09-20-2019

The distance to never and any point in time is undefined; the distance between infinity and any point of time is infinity.

massumtaqi · ‎09-20-2019

Then what do i write that tells me when an account expiry date from AD is changed from a certain date to never?

massumtaqi · ‎09-20-2019

How do i compare last and second last non numeric value anyways? I know delta is used for numeric.

If I cannot compare these two non numeric values, what do i write in the search that tells me that the user account expiry date is changed from a certain date to never?

How to compare last value and the second last value if they are non-numeric

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer at Splunk .conf24 ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...

Combine Multiline Logs into a Single Event with SOCK: a Step-by-Step Guide for ...