Solved: List of users accessing activesync

jennjoe1 · ‎09-26-2017

index=exchange sourcetype=uag trunk="activesync2010" user="*" *returns a list of active sync users in the last timeframe

I have a lookup table list of watched users

| lookup VIP_mail.csv

If the user in the VIP lookup table also has active usage logs than I want the logs for all users in the table

index=exchange sourcetype=uag trunk="activesync2010" user="*" | lookup VIP_mail.csv "User ID" as USERID | where user=USERID

the match should be true if user ID's match

DalJeanis · ‎09-26-2017

Try this

index=exchange sourcetype=uag trunk="activesync2010" user="*" 
| lookup VIP_mail.csv "User ID" as user OUTPUT "User ID"  as USERID 
| where isnotnull(USERID)

View solution in original post

DalJeanis · ‎09-26-2017

Try this

index=exchange sourcetype=uag trunk="activesync2010" user="*" 
| lookup VIP_mail.csv "User ID" as user OUTPUT "User ID"  as USERID 
| where isnotnull(USERID)

jennjoe1 · ‎09-27-2017

Perfect 🙂

List of users accessing activesync

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

Are you a member of the Splunk Community?

List of users accessing activesync

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...