How to compare search results using csv as input c...

itsppp1234 · ‎02-22-2022

I need to search using the input from csv and compare the results with the same csv containing two columns - and show the difference between them (accountname present and accountname absent)

eventcode=4768 contains Account_Name in NTID format

eventcode=4769 contains Account_Name in UPN format

index=<index_name> host=<host_list> EventCode=4768 OR EventCode=4769 [| inputlookup accountname.csv] | dedup Account_Name | table Account_Name, Ticket_Encryption_Type, Supplied_Realm_Name, Service_Name,Service_ID

how do I make the results from above query to show the difference?

Appreciate the help.

Thanks

itsppp1234 · ‎02-22-2022

Also, how do I get it to search for both EventCode above.

Currently, it is only searching for a 4768 or 4769 due to the change in the value format of Account_Name field.

How to compare search results using csv as input containing two columns - and show difference (present and absent)

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Automating Threat Operations and Threat Hunting with Recorded Future

Join the Conversation