Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Subsearch or ‘let stats sort it out’?
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hey folks. Help!
I have two indexes.
- Index 1 - Contains an authoritative list of AWSconfig accounts it.
- index 2 - Contains cloudtrail data - logins by account
I want to list accounts that haven’t been logged into using my AWSconfig account list (index 1) as Index 2 (cloudtrail) only has logs of what has been logged into at some point...
I was going to use a subsearch to get a list of unique accounts from index 1 and then pass that into a search against cloudtrail (index 2) - but was wondering if I could use stats instead (cause y’know subsearches have limitations...)
Thoughts?
Thanks!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Personally, I might use a lookup for this task.
I would create a scheduled search to build a list of authorisedAWSAccounts.csv from index1 and run that hourly/daily/weekly depending on your needs.
Then you can use that lookup in your search against data in index2 to add an 'isAuthorised" field.
Scheduled Lookup Builder
index=index1 yourSearchFilter|eval isAuthorised=true|table userName arn isAuthorised|outputlookup authorisedAWSAccounts.csv
Search index2
index=index2 yourSearchFilter|lookup authorisedAWSAccounts.csv [userName|arn] OUTPUT isAuthorised|search isAuthorised!=true
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
What are the event counts in both indexes (based on the search time range you'll be using)?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Personally, I might use a lookup for this task.
I would create a scheduled search to build a list of authorisedAWSAccounts.csv from index1 and run that hourly/daily/weekly depending on your needs.
Then you can use that lookup in your search against data in index2 to add an 'isAuthorised" field.
Scheduled Lookup Builder
index=index1 yourSearchFilter|eval isAuthorised=true|table userName arn isAuthorised|outputlookup authorisedAWSAccounts.csv
Search index2
index=index2 yourSearchFilter|lookup authorisedAWSAccounts.csv [userName|arn] OUTPUT isAuthorised|search isAuthorised!=true
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I’m not looking for isAuthed per se more ‘from the a deduped list of master accounts in index1, have they been found logging in determined by the Cloudtrail logs in index2.
Lookup could work but.. will try and report back. Thx!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Ah I see, its more like "from this list of users, who has logged in?"
In that case the lookup is still a viable solution - but maybe you can use a field name like 'reviewLogin' instead of 'isAuthorised'
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yeah. Sounds good!
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
May 2026 Splunk Expert Sessions: Security & Observability
Network to App: Observability Unlocked [May & June Series]
SPL2 Deep Dives, AppDynamics Integrations, SAML Made Simple and Much More on Splunk ...
