How to identify the login information from a looku...

navan1 · ‎01-23-2025

Hello,

I have lookup table which contain fields as below.

user shortname

email 1 name1

email 2 name2

I wanted to search specific index and find whether the users in the lookup table logged in to any app for past 1 month.

I am trying something like this and not getting exact match with users in the lookup table. Please help here.

| inputlookup users_list.csv |join user type=outer [|search index="my_index" sourcetype="my_sourcetype" | fields app action signinDateTime user shortname ] |table app action signinDateTime user shortname

gcusello · ‎01-23-2025

Hi @navan1 ,

only one question: do you want to search in a defined field or in all the events raw?

if in one field (user) that's the same both in main search and lookup, please try this:

index="my_index" sourcetype="my_sourcetype" [ | inputlookup users_list.csv | fields user ]
| table app action signinDateTime user shortname

if you want to perform a full text search of the lookup user values in the main search, you can try:

index="my_index" sourcetype="my_sourcetype" [ | inputlookup users_list.csv | rename user AS query | fields query ]
| table app action signinDateTime user shortname

Ciao.

Giuseppe

How to identify the login information from a lookup table users list

count

eval

fields

join

lookup

stats

table

Accelerating Observability as Code with the Splunk AI Assistant

Integrating Splunk Search API and Quarto to Create Reproducible Investigation ...

Congratulations to the 2025-2026 SplunkTrust!

Join the Conversation

How to identify the login information from a lookup table users list