cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
ktaitingfong
Explorer
Member since: ‎03-06-2015
‎04-07-2023
Community Statistics
Posts 5
Solutions 0
Karma Given 2
Karma Received 0
Member Since ‎03-06-2015
Activity Feed
View All

Re: Counting a value out of a lookup table that do...

by in Splunk Search
‎10-10-2017 08:57 AM
‎10-10-2017 08:57 AM
Thanks, this gets me a lot closer. I think the problem I have now is that the roles field is multivalued but I can work that out. Thanks for the help! ... View more

Re: Counting a value out of a lookup table that do...

by in Splunk Search
‎09-21-2017 10:09 AM
‎09-21-2017 10:09 AM
Thanks for the help. Unfortunately, this gives me the same results I received previously which is showing me a zero count for roles and users although I have a user in the same role that did login. i.e.: Bob and Mary both have the role 'power' and Bob is showing up in the list, but since since Mary is in the same group and has logged in, 'power' shouldn't be in the results. ... View more

Re: Counting a value out of a lookup table that do...

by in Splunk Search
‎09-21-2017 10:02 AM
‎09-21-2017 10:02 AM
Thanks, Oddly this produces no results with and without the makekv and kvexpand and even with the where mycount=0 has been removed. ... View more

Counting a value out of a lookup table that does n...

by in Splunk Search
‎09-20-2017 01:33 PM
‎09-20-2017 01:33 PM
Hi, I have a search that works just fine that shows a list of users in a lookup table that have not logged into Splunk in the last 7 days: | inputlookup user_role_lookup.csv | rename userName AS user | table user | eval count=0 | join type=left user [search index=_audit action="login attempt" info=succeeded earliest=-7d@d | stats count by user] | where count=0 The lookup table is simply 'userName' and 'roles' with about 190 entries. Roles, of course, is not a value in the _audit logs. I want to be able to show if no one from a particular role logged into Splunk in the last 7 days but replacing 'user' with 'roles' in the query above doesn't give me what I need. If it matters, the field 'roles' is the actual roles we created in Splunk pulled out using the REST command that was put into a lookup table. Any help is appreciated. ... View more
Contact Me
Online Status
Offline
Date Last Visited
‎04-07-2023 11:25 AM
Karma given to
View All