- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Compare 2 fields from different Index
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Compare 2 fields from different Index
I am trying to look for accounts which are not active anywhere in network.
(index=network user=*) OR (index=okta SamAccountName=*) | eval InActive_Accounts=if(user==SamAccountName, "Active" , "NotActive") | table user, SamAccountName, InActive_Accounts
I tried it with coalesce as well but not getting any result.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
From your description, I understand you saying
Find me all users who are seen in network index, but NOT in okta index and show me those users
then this may work for you
(index=network user=*) OR (index=okta SamAccountName=*)
| eval userId=coalesce(user, SamAccountName)
| stats values(SamAccountName) as SamAccountName by userId
| where isnull(SamAccountName)which is saying
- Get me the data from both indexes
- Create a new field that contains either the value of user or SamAccountName
- Aggregate all the values of SamAccountName for that new field
- Filter out only those fields where there has been no SamAccountName seen
which should tell you all users in the network index, not in the okta index.
If you are looking for all your users (known by some other means) and are trying to determine if they are present in either index, then you will first need a list of the users you expect, e.g. in a lookup file, and then you will need to do something like this, where your_list_of_users.csv contains a column called userId
(index=network user=*) OR (index=okta SamAccountName=*)
| eval userId=coalesce(user, SamAccountName)
| stats count by userId
| append [
| inputlookup your_list_of_users.csv
| eval count=0
]
| stats max(count) as count by userId
| where count=0Hope this helps
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Actually,
user - field in index=network which has username as value
SamAccountName - field in index=okta which has username as value
I am trying to search SamAccountName against user field in index=network and get the SamAccountName list which are not present in index=network
Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...
.conf24 | Registration Open!
ICYMI - Check out the latest releases of Splunk Edge Processor
