Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Getting a list of active users usernames from a list of email addresses

agenco01
Engager
‎05-13-2021 12:38 PM

I have a CSV with multiple hundred email addresses and I am trying to run a report to determine which accounts are active, and their username within our domain. Is there a way to do this simply within Splunk?

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎05-13-2021 11:02 PM

Hi @agenco01,

let me understand: you have in a csv a list containing hundreds of email addresses and you want to know which of them are active, is it correct?

To do this, you need a data frow from an email sistem or a front end web server used by your email system.

Then you have to load your csv in a lookup and thes perform a search on your data, like this:

(hypothesis: index is called "email", csv file is called "email.csv", email field in email index is called "sender", email field in csv is called "email")

 

index=email
| eval sender=lower(sender)
| stats count BY sender
| append [| inputlookup email.csv | eval sender=lower(email), count=0 | fields sender count) ]
| stats sum(count) AS total BY sender
| eval stats=if(total=0,"Inactive","Active")
| sort sender
| table sender status

 

Ciao.

Giuseppe

View solution in original post

Reply
Solved! Jump to solution

agenco01
Engager
‎05-17-2021 06:08 AM

Thanks for the help!

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎05-17-2021 06:10 AM

Hi @agenco01,

good for you, see next time!

Ciao and happy splunking.

Giuseppe

P.S.: Karma Points are appreciated 😉

Reply
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎05-13-2021 11:02 PM

Hi @agenco01,

let me understand: you have in a csv a list containing hundreds of email addresses and you want to know which of them are active, is it correct?

To do this, you need a data frow from an email sistem or a front end web server used by your email system.

Then you have to load your csv in a lookup and thes perform a search on your data, like this:

(hypothesis: index is called "email", csv file is called "email.csv", email field in email index is called "sender", email field in csv is called "email")

 

index=email
| eval sender=lower(sender)
| stats count BY sender
| append [| inputlookup email.csv | eval sender=lower(email), count=0 | fields sender count) ]
| stats sum(count) AS total BY sender
| eval stats=if(total=0,"Inactive","Active")
| sort sender
| table sender status

 

Ciao.

Giuseppe

Reply
Get Updates on the Splunk Community!

Observe and Secure All Apps with Splunk

  Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

Splunk Decoded: Business Transactions vs Business IQ

It’s the morning of Black Friday, and your e-commerce site is handling 10x normal traffic. Orders are flowing, ...

Fastest way to demo Observability

I’ve been having a lot of fun learning about Kubernetes and Observability. I set myself an interesting ...