Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Column comparison for authentication

qazwsxedc994
Explorer
‎08-17-2015 05:09 AM

Hi,

I created a search which provides me with the usernames of all user which have logged on, i have another column right now which is from a database containing all the authenticated usernames. I want to check that all usernames in the first column are in the database.

I tried using:
eval Results=if(match(Loggedin_user,username), "yes","no"

but doesnt work. I need a way to loop through the Loggedin_user column verifying that the username is in the username column.

Any suggestion on how to do this?

0 Karma
Reply

diogofgm
SplunkTrust
SplunkTrust
‎08-17-2015 08:48 AM

This might not be the best solution but...
You can | append the usernames from the db to the result of the search. Instead of using 2 columns you'll end up with 1 column with every username. After that just use: 

|stats count by username

Then you just use search to filter results:
For users on both places:

 ...| search count =2

For users only in one place:

 ...| search count < 2

If you want to know where they are you could even use values(source) in the stats command

------------
Hope I was able to help you. If so, some karma would be appreciated.
0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...