Splunk Search

How can I report on userid's that are on event file but not CSV Lookup?

cxfuent29
New Member

I am using a lookup csv file.

events have userid and CSV file has userid.

Some of the event file userid's are not on CSV file (timing issue)

The output produces event count by userid.

I need to report on userid's that are on event file but not CSV,

Thanks ahead

0 Karma

elliotproebstel
Champion

Try appending this to your current search (but replace my_lookup.csv with the name of your actual lookup file):

| search NOT 
 [| inputlookup my_lookup.csv 
 | fields userid ]
0 Karma
Get Updates on the Splunk Community!

See just what you’ve been missing | Observability tracks at Splunk University

Looking to sharpen your observability skills so you can better understand how to collect and analyze data from ...

Weezer at .conf25? Say it ain’t so!

Hello Splunkers, The countdown to .conf25 is on-and we've just turned up the volume! We're thrilled to ...

How SC4S Makes Suricata Logs Ingestion Simple

Network security monitoring has become increasingly critical for organizations of all sizes. Splunk has ...