https://community.splunk.com/t5/Getting-Data-In/Compare-SSH-users-against-authorized-user-list/m-p/38755#M7159 <P>I have a table that shows the usernames logging into to my various servers. I want to compare these results to a list of users I have specified in order to notice any users that should not be accessing certain systems.</P> <P>Basically, I am looking to that verify usernames are in the "authorized user" array/list.</P> Fri, 17 May 2013 20:40:46 GMT nickabal 2013-05-17T20:40:46Z https://community.splunk.com/t5/Getting-Data-In/Compare-SSH-users-against-authorized-user-list/m-p/38755#M7159 <P>I have a table that shows the usernames logging into to my various servers. I want to compare these results to a list of users I have specified in order to notice any users that should not be accessing certain systems.</P> <P>Basically, I am looking to that verify usernames are in the "authorized user" array/list.</P> Fri, 17 May 2013 20:40:46 GMT https://community.splunk.com/t5/Getting-Data-In/Compare-SSH-users-against-authorized-user-list/m-p/38755#M7159 nickabal 2013-05-17T20:40:46Z https://community.splunk.com/t5/Getting-Data-In/Compare-SSH-users-against-authorized-user-list/m-p/38756#M7160 <P>That can be solved well with a lookup. For example, define a CSV file that contains two columns:</P> <PRE><CODE>username,status bob,okay john,deleted </CODE></PRE> <P>Define an automatic lookup that appends the status column to your search results based on the username. Then look for users that either have no value for status or have a value different from "okay".</P> <P>You could also do lookups against a database, or join data from a second indexed source - what is best depends on your environment.</P> Fri, 17 May 2013 21:26:13 GMT https://community.splunk.com/t5/Getting-Data-In/Compare-SSH-users-against-authorized-user-list/m-p/38756#M7160 martin_mueller 2013-05-17T21:26:13Z