Solved: Re: List of users accessing activesync

jennjoe1 · ‎09-26-2017

index=exchange sourcetype=uag trunk="activesync2010" user="*" *returns a list of active sync users in the last timeframe

I have a lookup table list of watched users

| lookup VIP_mail.csv

If the user in the VIP lookup table also has active usage logs than I want the logs for all users in the table

index=exchange sourcetype=uag trunk="activesync2010" user="*" | lookup VIP_mail.csv "User ID" as USERID | where user=USERID

the match should be true if user ID's match

DalJeanis · ‎09-26-2017

Try this

index=exchange sourcetype=uag trunk="activesync2010" user="*" 
| lookup VIP_mail.csv "User ID" as user OUTPUT "User ID"  as USERID 
| where isnotnull(USERID)

View solution in original post

DalJeanis · ‎09-26-2017

Try this

index=exchange sourcetype=uag trunk="activesync2010" user="*" 
| lookup VIP_mail.csv "User ID" as user OUTPUT "User ID"  as USERID 
| where isnotnull(USERID)

jennjoe1 · ‎09-27-2017

Perfect 🙂

List of users accessing activesync

Observability Unlocked: Kubernetes Monitoring with Splunk Observability Cloud

Update Your SOAR Apps for Python 3.13: What Community Developers Need to Know

October Community Champions: A Shoutout to Our Contributors!

Are you a member of the Splunk Community?

List of users accessing activesync

Observability Unlocked: Kubernetes Monitoring with Splunk Observability Cloud

Update Your SOAR Apps for Python 3.13: What Community Developers Need to Know

October Community Champions: A Shoutout to Our Contributors!