Solved: Trying to build a field in search then compare th...

mjones414 · ‎04-05-2012

Trying to compare the results of a lookup table to a field I'm creating by using mvindex and I can get it to join and show me everything that matches but what I really want to do is show me everything in this newly created field that doesn't match the lookup table.

source=WinEventLog:Security (EventCode="4733" OR EventCode="4732" OR EventCode="637" OR EventCode="636")
| rex field=_raw max_match=99 "Account Name:\s+(?<Account_Name>\w+\$?)"
| eval Wanted_Account=mvindex(Account_Name,0)
| join [ inputlookup admin_list | fields + Admin_Name | rename Admin_Name as Wanted_Account]
| table Wanted_Account

This currently shows me every referenced admin in Wanted_Account. How can I do the inverse?

Many thanks in advance!!

jt_splunk · ‎04-06-2012

Instead of:
"| table Wanted_Account"
Can you do something like this:
"| search Wanted_Account!=*"

View solution in original post

jt_splunk · ‎04-06-2012

Instead of:
"| table Wanted_Account"
Can you do something like this:
"| search Wanted_Account!=*"

Trying to build a field in search then compare the results to a lookup table

Introducing the Splunk Community Dashboard Challenge!

Get the T-shirt to Prove You Survived Splunk University Bootcamp

Wondering How to Build Resiliency in the Cloud?