Splunk Search

where username NOT equal to list of usernames in Lookup table

r999
Path Finder

i have some data indexed which is a snapshot of users who have access to a system.

i have uploaded a 1 column csv with a list of usernames who SHOULD have access to a system..

How do i use the lookup table to lo search:

source="user_snapshot" username != inputlookup "valid_users"

i.e i want the search to simply return list of the users who should not have access

1 Solution

Ayn
Legend

Use table.

... | table username
0 Karma

r999
Path Finder

thanks...

The only issues now is that this does not display as a table format where the first search did- just a list of events. how can i put this into a clean table of users which i can then add to a dashboard?

0 Karma

Ayn
Legend

Just switch the location of the search and the subsearch. You want to list all users in the snapshot and search for the ones that are in the snapshot but not in the lookup. I don't know what field names you're using in the lookup file, so I'm calling the relevant field here "username":

source="user_snapshot" NOT [| inputlookup valid_user.csv | fields username]
0 Karma

r999
Path Finder

hi thanks very much i actually got something working similar to the first link however that is returning the inverse of what i wanted and i cant workout how to change it...

results show "valid_users" who are not in the user snapshot

i would like to see list of users in the snapshot who are not Valid _users

how do i amend the follwing

| inputlookup valid_user.csv | search NOT [search source="user_snapshot*" | dedup username | fields username]

thanks in advance

0 Karma
Get Updates on the Splunk Community!

Database Performance Sidebar Panel Now on APM Database Query Performance & Service ...

We’ve streamlined the troubleshooting experience for database-related service issues by adding a database ...

IM Landing Page Filter - Now Available

We’ve added the capability for you to filter across the summary details on the main Infrastructure Monitoring ...

Dynamic Links from Alerts to IM Navigators - New in Observability Cloud

Splunk continues to improve the troubleshooting experience in Observability Cloud with this latest enhancement ...