Lookup values not shown on result table

dunick · ‎10-05-2019

Hello all,

I am searching in Splunk for the last login date of a User and export it into a table:

... | eval date=strftime(_time,"%F")
| stats latest(date) by U
| table U, latest(date)

Now I have a lookup table (user_info.csv) containing ALL UserID from the system.
I would like to include all of them on the my search results, even those who never logged-in in the system. For example (PWMDN):

UserID  Last login
 JLSME  2019-02-21
KOEMN   2019-10-12
PWMDN   Never (or 1900-01-01)
JDEMI   2019-09-11

Do you have any Idea how to do it?
Thank you very much

cmerriman · ‎10-05-2019

i would append the lookup table with the user_info.csv

Something similar to

<base search to gather all active users with latest login date>
|rename U as UserID
|inputlookup user_info.csv append=true
|stats latest(last_login) as last_login by UserID
|fillnull last_login value="Never"

dunick · ‎10-07-2019

Thank you very much, it works!!

woodcock · ‎10-08-2019

Come back and click Accept to close the question.

Lookup values not shown on result table

Tech Talk Recap | Mastering Threat Hunting

Observability for AI Applications: Troubleshooting Latency

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?

Are you a member of the Splunk Community?

Lookup values not shown on result table

Tech Talk Recap | Mastering Threat Hunting

Observability for AI Applications: Troubleshooting Latency

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?