Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Column comparison for authentication

qazwsxedc994
Explorer
‎08-17-2015 05:09 AM

Hi,

I created a search which provides me with the usernames of all user which have logged on, i have another column right now which is from a database containing all the authenticated usernames. I want to check that all usernames in the first column are in the database.

I tried using:
eval Results=if(match(Loggedin_user,username), "yes","no"

but doesnt work. I need a way to loop through the Loggedin_user column verifying that the username is in the username column.

Any suggestion on how to do this?

0 Karma
Reply

diogofgm
SplunkTrust
SplunkTrust
‎08-17-2015 08:48 AM

This might not be the best solution but...
You can | append the usernames from the db to the result of the search. Instead of using 2 columns you'll end up with 1 column with every username. After that just use: 

|stats count by username

Then you just use search to filter results:
For users on both places:

 ...| search count =2

For users only in one place:

 ...| search count < 2

If you want to know where they are you could even use values(source) in the stats command

------------
Hope I was able to help you. If so, some karma would be appreciated.
0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Splunk Community Badges!

  Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...