Splunk Search

Trying to build a field in search then compare the results to a lookup table

mjones414
Contributor

Trying to compare the results of a lookup table to a field I'm creating by using mvindex and I can get it to join and show me everything that matches but what I really want to do is show me everything in this newly created field that doesn't match the lookup table.

source=WinEventLog:Security (EventCode="4733" OR EventCode="4732" OR EventCode="637" OR EventCode="636")
| rex field=_raw max_match=99 "Account Name:\s+(?<Account_Name>\w+\$?)"
| eval Wanted_Account=mvindex(Account_Name,0)
| join [ inputlookup admin_list | fields + Admin_Name | rename Admin_Name as Wanted_Account]
| table Wanted_Account

This currently shows me every referenced admin in Wanted_Account. How can I do the inverse?

Many thanks in advance!!

1 Solution

jt_splunk
Explorer

Instead of:
"| table Wanted_Account"
Can you do something like this:
"| search Wanted_Account!=*"

View solution in original post

0 Karma

jt_splunk
Explorer

Instead of:
"| table Wanted_Account"
Can you do something like this:
"| search Wanted_Account!=*"

0 Karma
Get Updates on the Splunk Community!

Splunk Security Content for Threat Detection & Response, Q1 Roundup

Join Principal Threat Researcher, Michael Haag, as he walks through:An introduction to the Splunk Threat ...

Splunk Life | Happy Pride Month!

Happy Pride Month, Splunk Community! &#x1f308; In the United States, as well as many countries around the ...

SplunkTrust | Where Are They Now - Michael Uschmann

The Background Five years ago, Splunk published several videos showcasing members of the SplunkTrust to share ...