Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to identify the login information from a lookup table users list

navan1
Explorer
‎01-23-2025 06:00 AM

Hello, 

I have lookup table which contain fields as below.

 

user                       shortname

email 1                     name1

email 2                     name2

I wanted to search specific index and find whether the users in the lookup table logged in to any app for past 1 month.

 

I am trying something like this and not getting exact match with users in the lookup table. Please help here.

 

| inputlookup users_list.csv |join user type=outer [|search index="my_index" sourcetype="my_sourcetype" | fields app action signinDateTime user shortname ] |table app action signinDateTime user shortname
Labels (7)
0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎01-23-2025 06:35 AM

Hi @navan1 ,

only one question: do you want to search in a defined field or in all the events raw?

if in one field (user) that's the same both in main search and lookup, please try this:

index="my_index" sourcetype="my_sourcetype" [ | inputlookup users_list.csv | fields user ]
| table app action signinDateTime user shortname

 if you want to perform a full text search of the lookup user values in the main search, you can try:

index="my_index" sourcetype="my_sourcetype" [ | inputlookup users_list.csv | rename user AS query | fields query ]
| table app action signinDateTime user shortname

Ciao.

Giuseppe

0 Karma
Reply
Get Updates on the Splunk Community!

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...