Solved: Re: Splunk search query for identifing the list of...

dbuddha2020 · ‎03-03-2023

We have a list of authorized user who have to specific Database and created a lookup table name "Authorized_list.csv". tried a search query for any unathorized user/s access db apart of that lookup table, need to be notified.

aoverfield · ‎03-03-2023

Do you have any start to a search you could post?

In general, you could do something like:

"index=<db_index> users=* NOT [| inputlookup Authorized_list.csv | fields users] | stats count by users"

This is assuming "users" is a field in both your indexed data and a field in the CSV.

View solution in original post

aoverfield · ‎03-03-2023

Do you have any start to a search you could post?

In general, you could do something like:

"index=<db_index> users=* NOT [| inputlookup Authorized_list.csv | fields users] | stats count by users"

This is assuming "users" is a field in both your indexed data and a field in the CSV.

dbuddha2020 · ‎03-03-2023

Can someone please help me getting the search query.

Splunk search for identifying the list of unauthorized user from the authorized users db lookup table?

search job inspector

Index This | What is broken 80% of the time by February?

Unlock Faster Time-to-Value on Edge and Ingest Processor with New SPL2 Pipeline ...

Splunk MCP & Agentic AI: Machine Data Without Limits

Join the Conversation

Splunk search for identifying the list of unauthorized user from the authorized users db lookup table?

search job inspector

Index This | What is broken 80% of the time by February?

Unlock Faster Time-to-Value on Edge and Ingest Processor with New SPL2 Pipeline ...

Splunk MCP & Agentic AI: Machine Data Without Limits