Solved: List of users accessing activesync

jennjoe1 · ‎09-26-2017

index=exchange sourcetype=uag trunk="activesync2010" user="*" *returns a list of active sync users in the last timeframe

I have a lookup table list of watched users

| lookup VIP_mail.csv

If the user in the VIP lookup table also has active usage logs than I want the logs for all users in the table

index=exchange sourcetype=uag trunk="activesync2010" user="*" | lookup VIP_mail.csv "User ID" as USERID | where user=USERID

the match should be true if user ID's match

DalJeanis · ‎09-26-2017

Try this

index=exchange sourcetype=uag trunk="activesync2010" user="*" 
| lookup VIP_mail.csv "User ID" as user OUTPUT "User ID"  as USERID 
| where isnotnull(USERID)

View solution in original post

DalJeanis · ‎09-26-2017

Try this

index=exchange sourcetype=uag trunk="activesync2010" user="*" 
| lookup VIP_mail.csv "User ID" as user OUTPUT "User ID"  as USERID 
| where isnotnull(USERID)

jennjoe1 · ‎09-27-2017

Perfect 🙂

List of users accessing activesync

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

May 2026 Splunk Expert Sessions: Security & Observability

Network to App: Observability Unlocked [May & June Series]

SPL2 Deep Dives, AppDynamics Integrations, SAML Made Simple and Much More on Splunk ...

Join the Conversation