Splunk Search

Compare Search Results with files

drose5778
New Member

Is it possible to compare the results of a search (specifically a LDAP search) with a text file, or just compare multiple text files directly?

We are trying to create a dashboard which will help us audit our user access by comparing active ad users versus a active user list supplied by HR. So as an example, the dashboard would show users active in ad but not on the list, which would mean they need to be deactivated.

I have read this SHOULD be possible, but then i read otherwise in a different Splunk answer.

Can I accomplish this within Splunk or should I look for a different tool?

Tags (1)
0 Karma

lguinn2
Legend

In order to compare the data, it must be in Splunk. Normally, you would index data into Splunk that represents "interesting events." Then you could summarize the data and examine the results.

So you could index both the information from AD and from HR. But this is not really "event" data - these are static lists. Splunk provides a mechanism for loading lists as CSV files; they are called "lookup files" or "lookups". It seems to me that this is a more appropriate way to load this information into Splunk.

Another alternative is to ask Splunk to retrieve data from an external database and use it in a lookup or a search. This is somewhat of a variation on the CSV files.

Assume that you load both lists into Splunk and call them AD_lookup and HR_lookup respectively. When you load the HR data and create the HR_lookup, set a value of "Unknown" for the default and a minimum number of 1. That way, if a user name is not on the list, the lookup will return "Unknown". Assuming the two CSV files look something like this:

AD_user
drose
jsmith
jdoe

HR_user
drose
jdoe

(Yes, the first line is a header and you must have it.)

Here is a search to compare the lists, and then display the users that are in the AD data but not the HR data:

| inputlookup AD_lookup
| lookup HR_lookup AD_user as HR_user OUTPUT HR_user as result
| where result="Unknown"

Here is a link to lookups in the Splunk Tutorial.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...