https://community.splunk.com/t5/Splunk-Search/Splunk-search-for-identifying-the-list-of-unauthorized-user-from/m-p/633206#M219964 <P>Can someone please help me getting the search query.</P><P>&nbsp;</P> Fri, 03 Mar 2023 16:32:03 GMT dbuddha2020 2023-03-03T16:32:03Z https://community.splunk.com/t5/Splunk-Search/Splunk-search-for-identifying-the-list-of-unauthorized-user-from/m-p/633202#M219961 <P>We have a list of authorized user who have to specific Database and created a lookup table name "<SPAN>Authorized_list.csv</SPAN>". tried a search query for any unathorized user/s access db apart of that lookup table, need to be notified.</P> <P>&nbsp;</P> Mon, 06 Mar 2023 14:26:36 GMT https://community.splunk.com/t5/Splunk-Search/Splunk-search-for-identifying-the-list-of-unauthorized-user-from/m-p/633202#M219961 dbuddha2020 2023-03-06T14:26:36Z https://community.splunk.com/t5/Splunk-Search/Splunk-search-for-identifying-the-list-of-unauthorized-user-from/m-p/633206#M219964 <P>Can someone please help me getting the search query.</P><P>&nbsp;</P> Fri, 03 Mar 2023 16:32:03 GMT https://community.splunk.com/t5/Splunk-Search/Splunk-search-for-identifying-the-list-of-unauthorized-user-from/m-p/633206#M219964 dbuddha2020 2023-03-03T16:32:03Z https://community.splunk.com/t5/Splunk-Search/Splunk-search-for-identifying-the-list-of-unauthorized-user-from/m-p/633210#M219968 <P>Do you have any start to a search you could post?</P><P>In general, you could do something like:</P><P>"index=&lt;db_index&gt; users=* NOT [| inputlookup Authorized_list.csv | fields users] | stats count by users"</P><P>This is assuming "users" is a field in both your indexed data and a field in the CSV.&nbsp;</P> Fri, 03 Mar 2023 16:49:36 GMT https://community.splunk.com/t5/Splunk-Search/Splunk-search-for-identifying-the-list-of-unauthorized-user-from/m-p/633210#M219968 aoverfield 2023-03-03T16:49:36Z