Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Compare search results to CSV values

Sasquatchatmars
Communicator
‎09-30-2020 04:57 AM

Hi all! 

I have been trying to compare a search with a CSV lookup table. So far no luck... The list contains only 1 column with usernames. For example:

 

       username
      user_Apha
      user_Beta
      user_Charlie
      user_Delta

 

 Now this list is used to verify if users who are not in the company still logged in (the list is updated daily) but I can't seem to make it work. This is the search I have so far 

 

index="wineventlog" source="WinEventLog:Security" action=success EventCode=4624 OR 4768
| lookup disabled_account_list username OUTPUT username AS Disabled_User
| where user = username
| table Time username

 

I assume that it is completely wrong but I am out of ideas about how to correct it. 

Thank you very much,

Sasquatchatmars

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎09-30-2020 05:03 AM

Hi @Sasquatchatmars,

let me understand: in the index you habe the field user, instead in the lookup you have the field username and you want to chack that all the user values are in the lookup in the username field, is it correct?

if yes, please, try this search:

index="wineventlog" source="WinEventLog:Security" action=success EventCode=4624 OR EventCode=4768 NOT [ | inputlookup disabled_account_list | rename username as user | field user ]
| table _time user

Ciao.

Giuseppe

View solution in original post

Reply
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎09-30-2020 05:03 AM

Hi @Sasquatchatmars,

let me understand: in the index you habe the field user, instead in the lookup you have the field username and you want to chack that all the user values are in the lookup in the username field, is it correct?

if yes, please, try this search:

index="wineventlog" source="WinEventLog:Security" action=success EventCode=4624 OR EventCode=4768 NOT [ | inputlookup disabled_account_list | rename username as user | field user ]
| table _time user

Ciao.

Giuseppe

Reply
Solved! Jump to solution

Sasquatchatmars
Communicator
‎09-30-2020 05:10 AM

Hi @gcusello,

That is correct. But I only want to see which user logged in that shouldn't have. So if the user in the index corresponds to the username in the lookup file, I want a table that shows only that one. With the search that you gave in your first reply I see all every event of every user in the index. Not only the matched ones.

Thank you,

Sasquatchatmars

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎09-30-2020 05:52 AM

Hi @Sasquatchatmars,

with my search you have the users in the index that aren't also in the LDAP.

If you want  to take the ones that are in LDAP don't use the NOT operatore before the subsearch.

Ciao.

Giuseppe

Reply
Solved! Jump to solution

Sasquatchatmars
Communicator
‎09-30-2020 06:08 AM

Hi @gcusello ,

This worked perfectly! Thank you very much! Just FYI in your search you wrote "field" instead of "fields". 

Thank you! 

Sasquatchatmars

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass

Hello Splunkers,  We’re excited to kick off a Splunk Dashboard contest! We know that dashboards are a primary ...

May 2026 Splunk Expert Sessions: Security & Observability

Level Up Your Operations: May 2026 Splunk Expert Sessions Whether you are refining your security posture or ...

Network to App: Observability Unlocked [May & June Series]

In today’s digital landscape, your environment is no longer confined to the data center. It spans complex ...