Splunk Search

Unable to see correct result after running splunk query

New Member

issue : Unable to see correct result after running query.
I have lookup file .CSV which consists some field (AD group,user ID) and have event log which consists field (user ID , IP address, malware , DNS.)
AD.CSV :
The file has field AD group,user ID
AD_group user ID
AD1 John
AD2 John
AD2 Robert
AD1 Juhi
AD3 John
AD1 Rubi
AD4 Ruba
AD2 Jen

Event log :
The event has some field user ID , IP address, malware , DNS .
here only user ID is common in .CSV and event log
but ADgroup filed is available in only .CSV file
when running below query :
`index=main AD
group="AD1" | table userid ADgroup`
output :
userid ADgroup
John AD1
John AD2
John AD3
Juhi AD1
Rubi AD1
here trying to search only AD1 group in query but getting result three AD group(AD1,AD2,AD3) where user_id name John is common in these 3 groups .
why i am getting unexpected result here ?

0 Karma

Champion

The above search statement does not produce that result. Please provide a complete search statement.

0 Karma