Solved: Trying to build a field in search then compare th...

mjones414 · ‎04-05-2012

Trying to compare the results of a lookup table to a field I'm creating by using mvindex and I can get it to join and show me everything that matches but what I really want to do is show me everything in this newly created field that doesn't match the lookup table.

source=WinEventLog:Security (EventCode="4733" OR EventCode="4732" OR EventCode="637" OR EventCode="636")
| rex field=_raw max_match=99 "Account Name:\s+(?<Account_Name>\w+\$?)"
| eval Wanted_Account=mvindex(Account_Name,0)
| join [ inputlookup admin_list | fields + Admin_Name | rename Admin_Name as Wanted_Account]
| table Wanted_Account

This currently shows me every referenced admin in Wanted_Account. How can I do the inverse?

Many thanks in advance!!

jt_splunk · ‎04-06-2012

Instead of:
"| table Wanted_Account"
Can you do something like this:
"| search Wanted_Account!=*"

View solution in original post

jt_splunk · ‎04-06-2012

Instead of:
"| table Wanted_Account"
Can you do something like this:
"| search Wanted_Account!=*"

Trying to build a field in search then compare the results to a lookup table

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases