Solved: Splunk search for identifying the list of unauthor...

dbuddha2020 · ‎03-03-2023

We have a list of authorized user who have to specific Database and created a lookup table name "Authorized_list.csv". tried a search query for any unathorized user/s access db apart of that lookup table, need to be notified.

aoverfield · ‎03-03-2023

Do you have any start to a search you could post?

In general, you could do something like:

"index=<db_index> users=* NOT [| inputlookup Authorized_list.csv | fields users] | stats count by users"

This is assuming "users" is a field in both your indexed data and a field in the CSV.

View solution in original post

aoverfield · ‎03-03-2023

Do you have any start to a search you could post?

In general, you could do something like:

"index=<db_index> users=* NOT [| inputlookup Authorized_list.csv | fields users] | stats count by users"

This is assuming "users" is a field in both your indexed data and a field in the CSV.

dbuddha2020 · ‎03-03-2023

Can someone please help me getting the search query.

Splunk search for identifying the list of unauthorized user from the authorized users db lookup table?

search job inspector

Earn a $35 Gift Card for Answering our Splunk Admins & App Developer Survey

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

Monitoring Amazon Elastic Kubernetes Service (EKS)