Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to check if Data in a Lookup Table does not exist in another Index

mgbersales
Loves-to-Learn
‎11-19-2019 06:21 PM

I am creating a query to check if a list of accounts owned by our team exists and with correct privilege type in another index which contain a listing of all DB servers and account logins and privilege types.

I have a lookup table masterlist of all accounts owned by our team and their corresponding Privilege_Types:
Account_Name Privilege_Type
account1 sa_role
account1 sso_role
account2 sa_role
account2 mon_role
account3 sa_role

My index contains the following data:
Server_Name Account_Name Privilege_Type
server1 account1 sa_role
server1 account 1 sso_role
server1 account2 sa_role
server2 account1 sa_role
server2 account2 sso_role
server2 account2 mon_role
server2 account3 mon_role

My desired output should show if an account exists and the privilege types are correct
Server_Name Account_Name AccountExists CorrectPrivilegeType
server1 account1 Y Y
server1 account2 Y N
server1 account3 N N
server2 account1 Y N
server2 account2 Y Y
server3 account3 Y N

How do i achieve this result?

Tags (1)
0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎11-20-2019 12:22 AM

Hi @mgbersales,
see something like this:

index=my_index
| lookup my_lookup Account_Name OUTPUT Privilege_Type AS New_Privilege_Type
| eval AccountExists=if(isnull(New_Privilege_Type),"N","Y"), CorrectPrivilegeType=if(Privilege_Type=New_Privilege_Type,"Y","N")
| stats values(AccountExists) AS AccountExists values(CorrectPrivilegeType) AS CorrectPrivilegeType BY Server_Name Account_Name

Ciao.
Giuseppe

0 Karma
Reply

MuS
SplunkTrust
SplunkTrust
‎11-19-2019 06:38 PM

Hi mgbersales,

Please read this great post of @dwaddle https://www.duanewaddle.com/proving-a-negative/ that covers exactly this topic.

Hope this helps ...

cheers, MuS

0 Karma
Reply
Get Updates on the Splunk Community!

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...