In order to compare the data, it must be in Splunk. Normally, you would index data into Splunk that represents "interesting events." Then you could summarize the data and examine the results.

So you could index both the information from AD and from HR. But this is not really "event" data - these are static lists. Splunk provides a mechanism for loading lists as CSV files; they are called "lookup files" or "lookups". It seems to me that this is a more appropriate way to load this information into Splunk.

Another alternative is to ask Splunk to retrieve data from an external database and use it in a lookup or a search. This is somewhat of a variation on the CSV files.

Assume that you load both lists into Splunk and call them AD_lookup and HR_lookup respectively. When you load the HR data and create the HR_lookup, set a value of "Unknown" for the default and a minimum number of 1. That way, if a user name is not on the list, the lookup will return "Unknown". Assuming the two CSV files look something like this:

AD_user
drose
jsmith
jdoe

HR_user
drose
jdoe

(Yes, the first line is a header and you must have it.)

Here is a search to compare the lists, and then display the users that are in the AD data but not the HR data:

| inputlookup AD_lookup
| lookup HR_lookup AD_user as HR_user OUTPUT HR_user as result
| where result="Unknown"

Here is a link to lookups in the Splunk Tutorial.