Splunk Search

Trying to build a field in search then compare the results to a lookup table

Contributor

Trying to compare the results of a lookup table to a field I'm creating by using mvindex and I can get it to join and show me everything that matches but what I really want to do is show me everything in this newly created field that doesn't match the lookup table.

source=WinEventLog:Security (EventCode="4733" OR EventCode="4732" OR EventCode="637" OR EventCode="636")
| rex field=_raw max_match=99 "Account Name:\s+(?<Account_Name>\w+\$?)"
| eval Wanted_Account=mvindex(Account_Name,0)
| join [ inputlookup admin_list | fields + Admin_Name | rename Admin_Name as Wanted_Account]
| table Wanted_Account

This currently shows me every referenced admin in Wanted_Account. How can I do the inverse?

Many thanks in advance!!

1 Solution

Explorer

Instead of:
"| table Wanted_Account"
Can you do something like this:
"| search Wanted_Account!=*"

View solution in original post

0 Karma

Explorer

Instead of:
"| table Wanted_Account"
Can you do something like this:
"| search Wanted_Account!=*"

View solution in original post

0 Karma