I have a lookup tables with user names (ftp_users.csv).
Every day I'm getting one line from a particular system with users with FTP permissions, I want to compare between the lookup file (which contains the allowed FTP users) with the line I'm getting from the system and to alert when there is no match.
The line form the system looks similar to the below row:
users=user1, user2, user3, user4, user5
I'll appreciate any help with that,
index=_internal | head 1 | fields _raw _time | eval _raw="users=user1, user2, user3, user4, user5" | rex "=(?<users>.*)" | eval users=trim(split(users,",")) | mvexpand users
That's great @to4kawa , now I have two fields ("users" field from the system's output, and "user" from my ftp_allowed lookup).
I ran the below stats and got two lists of users, now I just need to compare and alert when there is an extra user under one of the lists.
| stats values(users) as ftp_users, values(user) as allowed_user
Trying my luck another time..
I have created the below search:
<my search here> | fields users | eval users=trim(split(users,",")) | mvexpand users | lookup as400_ftp_users.csv user as users OUTPUT user | rename users as FTP_USERS, user as ALLOWED_USERS | table FTP_USERS ALLOWED_USERS
Now I have two lists of users, ordered by user name:
I want to print out the extra user on the left side (R***TL) because this user is not in the "allowed users" list.
Is that possible?