Splunk - Custom Search Queries
Splunk - Custom Search Queries
OR try this
OR
1. index=ad_* objectCategory="CN=Group,CN=Schema,CN=Configuration,DC=foo,DC=bar,DC=com" |
fields - _raw | dedup cn | eval splitted=split(member, "|") | mvexpand splitted | eval
Zone="Latest" | table cn splitted Zone _time
2.
3. | append [ | search index=ad_*
objectCategory="CN=Group,CN=Schema,CN=Configuration,DC=foo,DC=bat,DC=com" | fields - _raw
| eventstats latest(_time) AS latest_timestamp by cn | eval prev_timestamp =
strftime(_time, "%Y-%m-%d %I:%M:%S %p") | where _time < latest_timestamp | dedup cn | eval
splitted=split(member, "|") | mvexpand splitted | eval Zone="Previous" | table cn splitted
Zone _time latest_timestamp ]
4.
5. | stats values(cn) AS cn, values(Zone) as Zone, values(_time) as Timestamp,
values(latest_timestamp) AS latest_timestamp by splitted
6.
7. | nomv Zone
8.
9. | search Zone="Previous"
10.
11. | eval t=now()
12. | eval t_earliest = (t - 86400 * 1)
13.
14. | where latest_timestamp>t_earliest
| table "Actioned By" "First Name" "Last Name" Account_Name "Action Taken" Group_Name
Account_Domain _time
| sort - _time
| head 50000
If the above completes within reasonable time, then try the following steps to:
NOT ([| inputlookup AD_User_LDAP_list| fields objectGUID| table objectGUID| format]) | head
50000
Save the changes, and then run the following search from the search view in the MS Windows AD
Objects application, selecting the appropriate time window for your ActiveDirectory "Sync"
data, you can try All-time first:
|`ms_ad_obj_sched_sync_objects_base("User","user")`
You will need to run this multiple times, probably about 5 times for your environment.
You can check the count of objects in the AD_User_LDAP_list by running | inputlookup
AD_User_LDAP_list | stats count
After you have the table built then you can add back to the text OR admonEventType=Update OR
admonEventType=Deleted to the "ms_ad_obj_admon_user_base_list" macro, then rerun the step 1
searches to capture the updates and deleted events.
After you have the table built remove the NOT ([| inputlookup AD_User_LDAP_list| fields
objectGUID| table objectGUID| format]) | head 50000 text from the
"ms_ad_obj_admon_user_base_list"