All Apps and Add-ons
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to use values in one column to verify if logged in users in another column have been pre-authorized?

qazwsxedc994
Explorer
‎08-18-2015 02:09 AM

So I have a search which produces a table like this: 

index=* source=/var/log/secure | table Loggedin_user, host_ip, timestamp | sort by Loggedin_user | WHERE timestamp NOT NULL | WHERE host_ip NOT NULL | append[dbxquery connection=splunkdb query=SELECT%20name%20FROM%20users]| fields - _raw, _time | rename "(001) users.name.VARCHAR" as "username"

Output 

Loggedin_user   host_ip       timestamp         username
admin           192.168.1.10     Aug 18 09:36:08     
root            192.168.1.105   Aug 18 08:58:3             
                                                      admin
                                                    adam
                                                      test
                                                      root

What I'm looking to do is use the username column to verify whether the user logged in has been pre-authorized so I would have an output like such:

Loggedin_user   host_ip       timestamp   pre-authorized
admin           192.168.1.1   Aug 18      yes
root            192.168.1.1   Aug 18      yes
user            192.168.1.1   Aug 18      no

Is there a way I can go through the username column comparing each field to the whole Loggedin_user column?

0 Karma
Reply

woodcock
Esteemed Legend
‎08-18-2015 07:07 AM

This is completely answered in the question below:

https://answers.splunk.com/answers/296193/checking-for-similar-fields-in-two-columns.html#comment-29...

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...

Splunk Observability for AI

Don’t miss out on an exciting Tech Talk on Splunk Observability for AI!Discover how Splunk’s agentic AI ...

🔐 Trust at Every Hop: How mTLS in Splunk Enterprise 10.0 Makes Security Simpler

From Idea to Implementation: Why Splunk Built mTLS into Splunk Enterprise 10.0  mTLS wasn’t just a checkbox ...