search user check

gitingua · ‎10-26-2021

It is necessary to check if the user is in the index in this file or not. If not, then add to the file, if it is in the file, then nothing happens

file.csv

username	info1	info2
john	abcd	qwer

index = IndexName

username	info1	info2
Aram	ghjk	qweiq

Condition, if the user is not found in the file, then write it to the file

output

username	info1	info2
john	abcd	qwer
Aram	ghjk	qweiq

ITWhisperer · ‎10-27-2021

Try something like this

index=IndexName
| table username info1 info2
| append [| inputlookup file.csv]
| dedup username
| outputlookup file.csv append=f

gitingua · ‎10-27-2021

@ITWhisperer

can it be done through "where"?

ITWhisperer · ‎10-27-2021

Can what be done through where?

gitingua · ‎10-27-2021

example
| where id != id_old or not match(username)

is it possible to write something similar

@ITWhisperer

gitingua · ‎10-27-2021

@ITWhisperer

I have a check where two parameters are compared via "where"

example | where id != id_old

there are already users with ID in the file, and after verification new IDs are added. But it happens that a new user appears in the index.

And it turns out if "| where id != id_old" it does not pass. And I need to add a condition,if the check did not work "| where id != id_old", then check whether such a user exists at all in the file

search user check

count

fields

join

regex

stats

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life