How to identify the login information from a looku...

navan1 · ‎01-23-2025

Hello,

I have lookup table which contain fields as below.

user shortname

email 1 name1

email 2 name2

I wanted to search specific index and find whether the users in the lookup table logged in to any app for past 1 month.

I am trying something like this and not getting exact match with users in the lookup table. Please help here.

| inputlookup users_list.csv |join user type=outer [|search index="my_index" sourcetype="my_sourcetype" | fields app action signinDateTime user shortname ] |table app action signinDateTime user shortname

gcusello · ‎01-23-2025

Hi @navan1 ,

only one question: do you want to search in a defined field or in all the events raw?

if in one field (user) that's the same both in main search and lookup, please try this:

index="my_index" sourcetype="my_sourcetype" [ | inputlookup users_list.csv | fields user ]
| table app action signinDateTime user shortname

if you want to perform a full text search of the lookup user values in the main search, you can try:

index="my_index" sourcetype="my_sourcetype" [ | inputlookup users_list.csv | rename user AS query | fields query ]
| table app action signinDateTime user shortname

Ciao.

Giuseppe

How to identify the login information from a lookup table users list

count

eval

fields

join

lookup

stats

table

Can’t make it to .conf25? Join us online!

Community Content Calendar, September edition

Splunkbase Unveils New App Listing Management Public Preview

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Are you a member of the Splunk Community?

How to identify the login information from a lookup table users list

Can’t make it to .conf25? Join us online!