Solved: Re: user name missing or exist in search

pr_blr · ‎05-17-2013

I am reading user from lookup file and then searching a search and find the user list from lookup file and giving table as user and status missing or exist in search.
please suggest me what should be the efficient way of doing this.

kml_uvce · ‎05-17-2013

there are 2 ways of doing this.
1) Use left join : <first search of lookuptable> left join <second search>
2) use transaction and append on user: <first search of lookuptable> |append <second search> |transaction user|use if condition to see any field of second search exist then make value as exist otherwise missing.

second way of doing is faster than first...

View solution in original post

kml_uvce · ‎05-17-2013

there are 2 ways of doing this.
1) Use left join : <first search of lookuptable> left join <second search>
2) use transaction and append on user: <first search of lookuptable> |append <second search> |transaction user|use if condition to see any field of second search exist then make value as exist otherwise missing.

second way of doing is faster than first...

pr_blr · ‎05-17-2013

thanks second option works for me

user name missing or exist in search

Splunk Observability Cloud | Customer Survey!

Happy CX Day, Splunk Community!

.conf23 | Get Your Cybersecurity Defense Analyst Certification in Vegas