All Apps and Add-ons

How to use values in one column to verify if logged in users in another column have been pre-authorized?


So I have a search which produces a table like this:

index=* source=/var/log/secure | table Loggedin_user, host_ip, timestamp | sort by Loggedin_user | WHERE timestamp NOT NULL | WHERE host_ip NOT NULL | append[dbxquery connection=splunkdb query=SELECT%20name%20FROM%20users]| fields - _raw, _time | rename "(001)" as "username"


Loggedin_user   host_ip       timestamp         username
admin      Aug 18 09:36:08     
root     Aug 18 08:58:3             

What I'm looking to do is use the username column to verify whether the user logged in has been pre-authorized so I would have an output like such:

Loggedin_user   host_ip       timestamp   pre-authorized
admin    Aug 18      yes
root     Aug 18      yes
user     Aug 18      no

Is there a way I can go through the username column comparing each field to the whole Loggedin_user column?

0 Karma

Esteemed Legend
0 Karma
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...