Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

I have a search that returns activity summary by email address. I also have a ksv with KNOWN users. How do I list those users that have no activity in the search?

MwayneSmith
Explorer
‎04-20-2020 08:00 AM

someone suggested a join, but as a newbie...... Don't know how to do this. I believe I would need two searches, 1 being the user activity, 2 being the list of KNOWN users from the ksv. I can do both of those, but how to see the users without activity?

Tags (2)
0 Karma
Reply

MuS
Legend
‎04-20-2020 01:48 PM

Hi MwayneSmith,

a very simple approach is to use the lookup (assuming the ksv file is a lookup file?) and search for anything that is NOT in an index:

| inputlookup file.csv | search NOT [search your search to get email activity | dedup user | fields user]

an improved version of the search would search first the email activity events from an index, add the lookup information and count them:

your search to get email activity  
| stats count by user
| inputlookup append=true file.csv
| fillnull count

any result with count 0 are your users with no email activity.

Hope this helps ...

cheers, MuS

0 Karma
Reply
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...