We have a list of authorized user who have to specific Database and created a lookup table name "Authorized_list.csv". tried a search query for any unathorized user/s access db apart of that lookup table, need to be notified.
Do you have any start to a search you could post?
In general, you could do something like:
"index=<db_index> users=* NOT [| inputlookup Authorized_list.csv | fields users] | stats count by users"
This is assuming "users" is a field in both your indexed data and a field in the CSV.
Do you have any start to a search you could post?
In general, you could do something like:
"index=<db_index> users=* NOT [| inputlookup Authorized_list.csv | fields users] | stats count by users"
This is assuming "users" is a field in both your indexed data and a field in the CSV.
Can someone please help me getting the search query.