I have a list of accounts that I wish to monitor in a csv file, say accounts.csv.
The file looks like:
userid,username
joeuser,Joe User
jimuser,Jim User
Janeuser,Jane User
And the logs are in the format of:
operation=openedfile
UserId=joeuser@domain.com
so i need to compare the CSVs userid field to the UserId (stripping away the @ so they are the same).
I would like to produce a table showing all the accounts in the csv file and when they performed an activity (or what the activity was).
The trick is to create a table that shows all users in the CSV (not all that were found in the search - just the CSV), whether or not they performed an action. If they never did anything, then the last_activity field would be blank (or some message like "not logged in"). I can get close by doing something like:
index=unix_security
| dedup userid
| rename _time as last_login
| append [inputlookup accounts.csv]
| table userid name department last_login
| sort -userid
I believe I need to do a join somehow, but I can't seem to get the syntax right, I'm stilling learning this.
If anyone can provide some pointers that would be greatly appreciated.
Thanks!
EDIT
I found this but can't seem to make the answer work as my userid from my events & csv are a bit different.
https://answers.splunk.com/answers/589551/get-last-login-time-based-upon-a-list-of-accounts-1.html
... View more