I've read in other posts that using join in Splunk isn't great so I'm looking for a better way to do my search. I want a table of users connected to the company VPN, who are not using a corporate device and who are not contractors. The first join is to find non-corporate devices and the second join is to find users who are not contractors. Currently the search looks something like this: index=firewall vpn_connection=success | dedup device_name | table device_name, user, src_ip | join type=outer left=vpn right=AD where vpn.device_name=AD.name [| inputlookup AD_Computer_LDAP_list | table name] | where isnull('AD.name') | table vpn.device_name, vpn.user, vpn.src_IP | rename vpn.user as user, vpn.device as device | join type=left left=connected right=contractor where connected.user=contractor.user [| inputlookup AD_User_LDAP_list | where like(memberOf, "%contractor%") | eval user=lower(sAMAccountName) | table user] | where isnull('contractor.user') | table connected.device, connected.user, connected.src_IP Any way to avoid using joins and to simplify this would much appreciated!
... View more