Splunk Enterprise Security
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
- Find Answers
- :
- Premium Solutions
- :
- Splunk Enterprise Security
- :
- How to compare columns in an inputlookup and retur...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How to compare columns in an inputlookup and return results that do not match?
Earenhart
Path Finder
03-30-2018
03:28 PM
Hello,
I am trying to build a search that takes an inputlookup file that has 2 columns; One is a list of usernames, the second is a list of FQDN's, and generates results when any of the users in the list are seen logging in to any computer other than the one adjacent to it in Column B (their assigned workstations).
For example:
Inputlookupfile.csv
Column A Column B
Username A FQDN1
Username B FQDN2
With this example, my search needs to be able to compare column A with column B, and generate results if say, Username A logs into ANY OTHER computer other than FQDN1 (or even both FQDN1 and FQDN2, but preferably only the one in the adjacent cell).
If there is a simpler way to generate results of a user logging into a machine other than their own, I am all ears. Note: Some users have multiple computers, so I will also need to figure out what the best method is for factoring that in.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
somesoni2
Revered Legend
03-31-2018
10:14 PM
Generally you'd do like this (assuming your indexed data search has a field username and computer_name it them.)
index=foo sourcetpe=bar..your indexed data search
| lookup inputlookupfile.csv "column A" as username OUTPUT "column B" as assigned_computer_name
| where computer_name!=assigned_computer_name
The lookup command will match the username (from indexed data search) with "column A" (from lookup) and add assigned_computer_name (renamed column B from lookup) to search result as a new column. The where clause will just compare computer_name (from indexed data search) with assigned_computer_name to filter results where they don't match.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Earenhart
Path Finder
04-04-2018
09:59 AM
Thank you somesoni2,
I am in the process of testing this to see if it works. I am not getting errors anymore, but not getting any results either. I will run some test configs and see if I can get some results, and then return back to share what I came up with.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Earenhart
Path Finder
03-31-2018
04:07 PM
I am not requesting that someone builds a search for me, but am wanting to know if this idea can be accomplished or not. If comparing fields in a csv file is not possible, if anyone knows any other method that might work to accomplish this idea that would be very useful. I felt the need to clarify this since I may not have properly worded my request.
Get Updates on the Splunk Community!
Aligning Observability Costs with Business Value: Practical Strategies
Join us for an engaging Tech Talk on Aligning Observability Costs with Business Value: Practical ...
Mastering Data Pipelines: Unlocking Value with Splunk
In today's AI-driven world, organizations must balance the challenges of managing the explosion of data with ...
Splunk Up Your Game: Why It's Time to Embrace Python 3.9+ and OpenSSL 3.0
Did you know that for Splunk Enterprise 9.4, Python 3.9 is the default interpreter? This shift is not just a ...
