Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Compare 2 fields from different Index

rnikam1412
Loves-to-Learn Everything
‎11-09-2021 11:42 AM

I am trying to look for accounts which are not active anywhere in network.

(index=network user=*) OR (index=okta SamAccountName=*) | eval InActive_Accounts=if(user==SamAccountName, "Active" , "NotActive") | table user, SamAccountName, InActive_Accounts

I tried it with coalesce as well but not getting any result.

0 Karma
Reply

bowesmana
SplunkTrust
SplunkTrust
‎11-09-2021 01:31 PM

From your description, I understand you saying 

Find me all users who are seen in network index, but NOT in okta index and show me those users

then this may work for you

(index=network user=*) OR (index=okta SamAccountName=*) 
| eval userId=coalesce(user, SamAccountName)
| stats values(SamAccountName) as SamAccountName by userId
| where isnull(SamAccountName)

which is saying

  • Get me the data from both indexes
  • Create a new field that contains either the value of user or SamAccountName
  • Aggregate all the values of SamAccountName for that new field
  • Filter out only those fields where there has been no SamAccountName seen

which should tell you all users in the network index, not in the okta index.

If you are looking for all your users (known by some other means) and are trying to determine if they are present in either index, then you will first need a list of the users you expect, e.g. in a lookup file, and then you will need to do something like this, where your_list_of_users.csv contains a column called userId

(index=network user=*) OR (index=okta SamAccountName=*) 
| eval userId=coalesce(user, SamAccountName)
| stats count by userId
| append [ 
  | inputlookup your_list_of_users.csv
  | eval count=0
]
| stats max(count) as count by userId
| where count=0

Hope this helps

 

0 Karma
Reply

rnikam1412
Loves-to-Learn Everything
‎11-09-2021 01:42 PM

Actually, 

user - field in index=network which has username as value

SamAccountName - field in index=okta which has username as value

I am trying to search SamAccountName against user field in index=network and get the SamAccountName list which are not present in index=network

0 Karma
Reply
Get Updates on the Splunk Community!

OpenTelemetry for Legacy Apps? Yes, You Can!

This article is a follow-up to my previous article posted on the OpenTelemetry Blog, "Your Critical Legacy App ...

UCC Framework: Discover Developer Toolkit for Building Technology Add-ons

The Next-Gen Toolkit for Splunk Technology Add-on Development The Universal Configuration Console (UCC) ...

.conf25 Community Recap

Hello Splunkers, And just like that, .conf25 is in the books! What an incredible few days — full of learning, ...