topic Re: How to search for the users logging into a server that have never logged in before. in Splunk Search https://community.splunk.com/t5/Splunk-Search/How-to-search-for-the-users-logging-into-a-server-that-have/m-p/306480#M164725 <P>Hi @ntalwar,</P> <P>I'll prefer below steps to achieve this.</P> <P>1.) Create CSV file which contains list of users who already logged into the server previously ( If you have this data in splunk you can fetch those data and generate lookup).<BR /> 2.) Upload that csv in Splunk.<BR /> 3.) Run you search to find users who logging into server and compare that against csv file which you have uploaded in splunk (Using <CODE>lookup</CODE> command)<BR /> 4.) Filter users who are not in lookup file (Something like <CODE>| where isnull(lookup_user)</CODE> )<BR /> 5.) Once you have result you can run this as scheduled search to send result over email and in same query I'll use <CODE>outputlookup</CODE> in last to update existing lookup file which contains logged in user details so in future when query will run it will not generate result against those newly logged in user.</P> <P>I hope this helps.</P> <P>Thanks,<BR /> Harshil</P> Wed, 29 Nov 2017 09:21:17 GMT harsmarvania57 2017-11-29T09:21:17Z How to search for the users logging into a server that have never logged in before. https://community.splunk.com/t5/Splunk-Search/How-to-search-for-the-users-logging-into-a-server-that-have/m-p/306479#M164724 <P>Working on real time data.I want to search for users logging into the server that have never logged before.</P> Wed, 29 Nov 2017 04:09:44 GMT https://community.splunk.com/t5/Splunk-Search/How-to-search-for-the-users-logging-into-a-server-that-have/m-p/306479#M164724 ntalwar 2017-11-29T04:09:44Z Re: How to search for the users logging into a server that have never logged in before. https://community.splunk.com/t5/Splunk-Search/How-to-search-for-the-users-logging-into-a-server-that-have/m-p/306480#M164725 <P>Hi @ntalwar,</P> <P>I'll prefer below steps to achieve this.</P> <P>1.) Create CSV file which contains list of users who already logged into the server previously ( If you have this data in splunk you can fetch those data and generate lookup).<BR /> 2.) Upload that csv in Splunk.<BR /> 3.) Run you search to find users who logging into server and compare that against csv file which you have uploaded in splunk (Using <CODE>lookup</CODE> command)<BR /> 4.) Filter users who are not in lookup file (Something like <CODE>| where isnull(lookup_user)</CODE> )<BR /> 5.) Once you have result you can run this as scheduled search to send result over email and in same query I'll use <CODE>outputlookup</CODE> in last to update existing lookup file which contains logged in user details so in future when query will run it will not generate result against those newly logged in user.</P> <P>I hope this helps.</P> <P>Thanks,<BR /> Harshil</P> Wed, 29 Nov 2017 09:21:17 GMT https://community.splunk.com/t5/Splunk-Search/How-to-search-for-the-users-logging-into-a-server-that-have/m-p/306480#M164725 harsmarvania57 2017-11-29T09:21:17Z