Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to check if Data in a Lookup Table does not exist in another Index

mgbersales
Loves-to-Learn
‎11-19-2019 06:21 PM

I am creating a query to check if a list of accounts owned by our team exists and with correct privilege type in another index which contain a listing of all DB servers and account logins and privilege types.

I have a lookup table masterlist of all accounts owned by our team and their corresponding Privilege_Types:
Account_Name Privilege_Type
account1 sa_role
account1 sso_role
account2 sa_role
account2 mon_role
account3 sa_role

My index contains the following data:
Server_Name Account_Name Privilege_Type
server1 account1 sa_role
server1 account 1 sso_role
server1 account2 sa_role
server2 account1 sa_role
server2 account2 sso_role
server2 account2 mon_role
server2 account3 mon_role

My desired output should show if an account exists and the privilege types are correct
Server_Name Account_Name AccountExists CorrectPrivilegeType
server1 account1 Y Y
server1 account2 Y N
server1 account3 N N
server2 account1 Y N
server2 account2 Y Y
server3 account3 Y N

How do i achieve this result?

Tags (1)
0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎11-20-2019 12:22 AM

Hi @mgbersales,
see something like this:

index=my_index
| lookup my_lookup Account_Name OUTPUT Privilege_Type AS New_Privilege_Type
| eval AccountExists=if(isnull(New_Privilege_Type),"N","Y"), CorrectPrivilegeType=if(Privilege_Type=New_Privilege_Type,"Y","N")
| stats values(AccountExists) AS AccountExists values(CorrectPrivilegeType) AS CorrectPrivilegeType BY Server_Name Account_Name

Ciao.
Giuseppe

0 Karma
Reply

MuS
Legend
‎11-19-2019 06:38 PM

Hi mgbersales,

Please read this great post of @dwaddle https://www.duanewaddle.com/proving-a-negative/ that covers exactly this topic.

Hope this helps ...

cheers, MuS

0 Karma
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to July Tech Talks, Office Hours, and Webinars!

What are Community Office Hours?Community Office Hours is an interactive 60-minute Zoom series where ...

Updated Data Type Articles, Anniversary Celebrations, and More on Splunk Lantern

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

A Prelude to .conf25: Your Guide to Splunk University

Heading to Boston this September for .conf25? Get a jumpstart by arriving a few days early for Splunk ...