Solved: Re: Splunk search query for identifing the list of...

dbuddha2020 · ‎03-03-2023

We have a list of authorized user who have to specific Database and created a lookup table name "Authorized_list.csv". tried a search query for any unathorized user/s access db apart of that lookup table, need to be notified.

aoverfield · ‎03-03-2023

Do you have any start to a search you could post?

In general, you could do something like:

"index=<db_index> users=* NOT [| inputlookup Authorized_list.csv | fields users] | stats count by users"

This is assuming "users" is a field in both your indexed data and a field in the CSV.

View solution in original post

aoverfield · ‎03-03-2023

Do you have any start to a search you could post?

In general, you could do something like:

"index=<db_index> users=* NOT [| inputlookup Authorized_list.csv | fields users] | stats count by users"

This is assuming "users" is a field in both your indexed data and a field in the CSV.

dbuddha2020 · ‎03-03-2023

Can someone please help me getting the search query.

Splunk search for identifying the list of unauthorized user from the authorized users db lookup table?

search job inspector

New Case Study Shows the Value of Partnering with Splunk Academic Alliance

How to Monitor Google Kubernetes Engine (GKE)

Index This | How can you make 45 using only 4?