Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

JOIN to list user per DeviceId

davidcraven02
Communicator
‎05-15-2018 03:40 AM

Search is trying to show all users within the companyOu that have Mobile Iron setup (Status=Allowed) and those that do not (Mobile Iron not setup)

The below search is only showing one user listed but some users have more than one DeviceId configured. I can't work out why all DeviceId's are not showing for a user.

index=ad source=aduserscan 
| table samAccountName, companyOu, displayName 
| search samAccountName=*_cp companyOu=dacp.com 
| rename samAccountName as MailboxId 
| join type=left MailboxId 
    [ search index=msexchange source=otl_mobileiron MailboxId=*_cp 
    | dedup DeviceId 
    | search Retired="false" ] 
| rename companyOu as Company, MailboxId as "User ID", DeviceFriendlyName as Model, displayName as "Display Name", SyncStatus as Status 
| fillnull value="Mobile Iron not setup" Status 
| table Company, "User ID", "Display Name", "Status" DeviceId
| sort Company asc

alt text

Tags (2)
Preview file
1 KB
0 Karma
Reply

niketn
Legend
‎05-15-2018 06:59 AM

@davidcraven02, Can you try the following:

index=msexchange source=otl_mobileiron MailboxId=*_cp Retired="false" 
| dedup MailboxId DeviceId 
| rename MailboxId as samAccountName 
| join type=left samAccountName 
    [ search index=ad source=aduserscan samAccountName=*_cp companyOu=dacp.com 
    | dedup samAccountName, companyOu, displayName ] 
| rename companyOu as Company, samAccountName as "User ID", DeviceFriendlyName as Model, displayName as "Display Name", SyncStatus as Status 
| fillnull value="Mobile Iron not setup" Status 
| table Company, "User ID", "Display Name", "Status" DeviceId 
| sort Company asc

If this does not work, can you share example of which record from specific index does not show up? Mock/Anonymize sensitive data.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply

davidcraven02
Communicator
‎05-15-2018 07:27 AM

Thanks but this only returned 60 results whereas my original search returns 146 results.

I cant upload a screenshot but this search returned all users who have MobileIron (listing several DeviceId's per user) but it did not include those users who don't have it. The source aduserscan contains all users within the companyOu.

0 Karma
Reply

niketn
Legend
‎05-15-2018 07:56 AM

@davidcraven02 without having a look at some data values from events for the two sources, it would be difficult to come up with exact query, but can you try a different approach to check whether all Device IDs for various MailBoxIds show up

( index=msexchange source=otl_mobileiron MailboxId=*_cp Retired="false" ) OR (index=ad source=aduserscan samAccountName=*_cp companyOu=dacp.com)
| rename samAccountName as MailboxId 
| stats count values(DeviceId) as DeviceId by MailboxId
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply

davidcraven02
Communicator
‎05-15-2018 08:14 AM

This returned 146 results which is the total number of users for this company. However each MailboxId has a count of 1 and no DeviceId is displayed.

MailboxId count DeviceId
Haver_cp 1

dadams_cp 1

Forindex=msexchange source=otl_mobileiron MailboxId=*_cp Retired="false" the user field is called MailboxId not samAccountName.

And the user field for index=ad source=aduserscanis called samAccountName

( index=msexchange source=otl_mobileiron MailboxId=*_cp Retired="false" )
      | stats count values(DeviceId) as DeviceId by MailboxId

When I search the above I get the below data

MailboxId   count   DeviceId
abon_cp          1         nine54011c5277ab
acavez_cp   1         ninebe03364cd694
acori_cp            1        iqj4udgc1h1q31j8vik9vceflo
akura_cp    1        rbmm3dea9d45v2kbt1rs36a7ok
aruma_cp    2        e53fd31687aa1ae3
                                     ninea8a1b3156df0
0 Karma
Reply

niketn
Legend
‎05-15-2018 09:17 AM

@davidcraven02, give the following a try, see whether matches for MailboxIds are coming from both sources otl_mobileiron and aduserscan or not.

( index=msexchange source=otl_mobileiron MailboxId=*_cp Retired="false" ) OR (index=ad source=aduserscan samAccountName=*_cp companyOu=dacp.com)
 | eval MailboxId=coalesce(MailboxId,samAccountName)
 | stats count values(source) as source  values(DeviceId) as DeviceId by MailboxId
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply

mayurr98
Super Champion
‎05-15-2018 05:39 AM

can you try this?

index=ad source=aduserscan samAccountName=*_cp companyOu=dacp.com 
| stats count by samAccountName, companyOu, displayName 
| rename samAccountName as MailboxId 
| join type=left MailboxId 
    [ search index=msexchange source=otl_mobileiron MailboxId=*_cp Retired="false" 
    | dedup MailboxId DeviceId] 
| rename companyOu as Company, MailboxId as "User ID", DeviceFriendlyName as Model, displayName as "Display Name", SyncStatus as Status 
| fillnull value="Mobile Iron not setup" Status 
| table Company, "User ID", "Display Name", "Status" DeviceId 
| sort Company asc
0 Karma
Reply

davidcraven02
Communicator
‎05-15-2018 06:45 AM

Thanks but this is gives the same number of results only a more efficient way to run it.

0 Karma
Reply
Get Updates on the Splunk Community!

How to Monitor Google Kubernetes Engine (GKE)

We’ve looked at how to integrate Kubernetes environments with Splunk Observability Cloud, but what about ...

Index This | How can you make 45 using only 4?

October 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...

Splunk Education Goes to Washington | Splunk GovSummit 2024

If you’re in the Washington, D.C. area, this is your opportunity to take your career and Splunk skills to the ...