Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: Subsearch or ‘let stats sort it out’?
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hey folks. Help!
I have two indexes.
- Index 1 - Contains an authoritative list of AWSconfig accounts it.
- index 2 - Contains cloudtrail data - logins by account
I want to list accounts that haven’t been logged into using my AWSconfig account list (index 1) as Index 2 (cloudtrail) only has logs of what has been logged into at some point...
I was going to use a subsearch to get a list of unique accounts from index 1 and then pass that into a search against cloudtrail (index 2) - but was wondering if I could use stats instead (cause y’know subsearches have limitations...)
Thoughts?
Thanks!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Personally, I might use a lookup for this task.
I would create a scheduled search to build a list of authorisedAWSAccounts.csv from index1 and run that hourly/daily/weekly depending on your needs.
Then you can use that lookup in your search against data in index2 to add an 'isAuthorised" field.
Scheduled Lookup Builder
index=index1 yourSearchFilter|eval isAuthorised=true|table userName arn isAuthorised|outputlookup authorisedAWSAccounts.csv
Search index2
index=index2 yourSearchFilter|lookup authorisedAWSAccounts.csv [userName|arn] OUTPUT isAuthorised|search isAuthorised!=true
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
What are the event counts in both indexes (based on the search time range you'll be using)?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Personally, I might use a lookup for this task.
I would create a scheduled search to build a list of authorisedAWSAccounts.csv from index1 and run that hourly/daily/weekly depending on your needs.
Then you can use that lookup in your search against data in index2 to add an 'isAuthorised" field.
Scheduled Lookup Builder
index=index1 yourSearchFilter|eval isAuthorised=true|table userName arn isAuthorised|outputlookup authorisedAWSAccounts.csv
Search index2
index=index2 yourSearchFilter|lookup authorisedAWSAccounts.csv [userName|arn] OUTPUT isAuthorised|search isAuthorised!=true
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I’m not looking for isAuthed per se more ‘from the a deduped list of master accounts in index1, have they been found logging in determined by the Cloudtrail logs in index2.
Lookup could work but.. will try and report back. Thx!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Ah I see, its more like "from this list of users, who has logged in?"
In that case the lookup is still a viable solution - but maybe you can use a field name like 'reviewLogin' instead of 'isAuthorised'
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yeah. Sounds good!
[Puzzles] Solve, Learn, Repeat: Reprocessing XML into Fixed-Length Events
Data Management Digest – December 2025
Index This | What is broken 80% of the time by February?
