Solved: Splunk search for identifying the list of unauthor...

dbuddha2020 · ‎03-03-2023

We have a list of authorized user who have to specific Database and created a lookup table name "Authorized_list.csv". tried a search query for any unathorized user/s access db apart of that lookup table, need to be notified.

aoverfield · ‎03-03-2023

Do you have any start to a search you could post?

In general, you could do something like:

"index=<db_index> users=* NOT [| inputlookup Authorized_list.csv | fields users] | stats count by users"

This is assuming "users" is a field in both your indexed data and a field in the CSV.

View solution in original post

aoverfield · ‎03-03-2023

Do you have any start to a search you could post?

In general, you could do something like:

"index=<db_index> users=* NOT [| inputlookup Authorized_list.csv | fields users] | stats count by users"

This is assuming "users" is a field in both your indexed data and a field in the CSV.

dbuddha2020 · ‎03-03-2023

Can someone please help me getting the search query.

Splunk search for identifying the list of unauthorized user from the authorized users db lookup table?

search job inspector

🔐 Trust at Every Hop: How mTLS in Splunk Enterprise 10.0 Makes Security Simpler

Observe and Secure All Apps with Splunk

Splunk Decoded: Business Transactions vs Business IQ

Are you a member of the Splunk Community?

Splunk search for identifying the list of unauthorized user from the authorized users db lookup table?

search job inspector

🔐 Trust at Every Hop: How mTLS in Splunk Enterprise 10.0 Makes Security Simpler

Observe and Secure All Apps with Splunk

Splunk Decoded: Business Transactions vs Business IQ