Hi,
I have deployed splunk to log data of users who are logging onto servers (unix and windows). I want to create a report that shows users who are not permitted to log onto those servers. I have been given a list of users which are permitted to log on so wanted to create a search which shows user logging on except the permitted users. I am trying to use the following:
Please can someone advise what commands to use to included the list of permitted users i have and to exempt them from the search result?
Regards,
Chetan
Hi,
thanks the following worked:
EventCode=18453 | search NOT [ | inputlookup allowed_users.csv ] | stats count by User
however the header of the CSV file should be User to match the syslog message.
Regards,
Yuou can rename the field name in subsearch. That way you can keep your csv headers same as before.
,Hi,
thanks for your assistance. is there any particular place the allowed_user.csv would need to be? for example if i am on a Terminal Server and running Splunk HTTP can that csv be somewhere on that terminal server and i direct the lookup to it?
Regards,
I think that your user.csv must be placed in $SPLUNK_HOME/ etc/system/lookups
on your splunk server and you need to add some stanzas to the $SPLUNK_HOME/ etc/system/transforms.conf
somthing like that:
[allowed_users]
filename=user.csv
Try something like this (assuming you have the list of permitted users and configured it as lookup, say allowed_users.csv)
your base search giving all users | search NOT [ |inputlookup allowed_users.csv | table User] | stats count as LoginCount by User
This should show you Login count for the users which are not present in the allowed_users.csv which users which are allowed.