Thanks Javiergn,
I think I got that part nailed down, I have a new challenge now,
I would like to lookup a user against a lookup table, where it will exclude the a user account if it matches a list of workstation. The idea is we have some service accounts that are used on certain workstations I am think putting those workstations against the respective accounts in a lookup table and having splunk exclude users based on that list would be ideal. Is that even possible?
Secondly, even though I set the count to greater than 5, can specify a different count for a different type of user, so say for administrative accounts, only display results greater than 10.
Please let me know if this is possible, if you have an idea of another way to do this I would appreciate it as well.
Thanks,
... View more