Solved: Re: Splunk search query for identifing the list of...

dbuddha2020 · ‎03-03-2023

We have a list of authorized user who have to specific Database and created a lookup table name "Authorized_list.csv". tried a search query for any unathorized user/s access db apart of that lookup table, need to be notified.

aoverfield · ‎03-03-2023

Do you have any start to a search you could post?

In general, you could do something like:

"index=<db_index> users=* NOT [| inputlookup Authorized_list.csv | fields users] | stats count by users"

This is assuming "users" is a field in both your indexed data and a field in the CSV.

View solution in original post

aoverfield · ‎03-03-2023

Do you have any start to a search you could post?

In general, you could do something like:

"index=<db_index> users=* NOT [| inputlookup Authorized_list.csv | fields users] | stats count by users"

This is assuming "users" is a field in both your indexed data and a field in the CSV.

dbuddha2020 · ‎03-03-2023

Can someone please help me getting the search query.

Splunk search for identifying the list of unauthorized user from the authorized users db lookup table?

search job inspector

Harnessing Splunk’s Federated Search for Amazon S3

Infographic provides the TL;DR for the 2024 Splunk Career Impact Report

Enterprise Security Content Update (ESCU) | New Releases