Splunk Search

Column comparison for authentication



I created a search which provides me with the usernames of all user which have logged on, i have another column right now which is from a database containing all the authenticated usernames. I want to check that all usernames in the first column are in the database.

I tried using:
eval Results=if(match(Loggedin_user,username), "yes","no"

but doesnt work. I need a way to loop through the Loggedin_user column verifying that the username is in the username column.

Any suggestion on how to do this?

0 Karma

Re: Column comparison for authentication


This might not be the best solution but...
You can | append the usernames from the db to the result of the search. Instead of using 2 columns you'll end up with 1 column with every username. After that just use:

|stats count by username

Then you just use search to filter results:
For users on both places:

 ...| search count =2

For users only in one place:

 ...| search count < 2

If you want to know where they are you could even use values(source) in the stats command

Hope I was able to help you. If so, an upvote would be appreciated.
0 Karma