Hi,
I've CSV which contain groupe and user
Groupe Name, User
administrator,admin1
guest,admin2
guest,admin1
printer, admin1
I would like to make two search to retrieve groups from admin1 and admin2, and find and display the difference between them.
This is to find the difference in the role attribution of each user.
What is the best query to make with splunk.
I tried something like:
| set diff [search index="role_log" source="List_Of_all_Groups_With_USers" SamAccountName=admin1 | sort SamAccountName | stats values("Group Name") by "SamAccountName"] [search index="role_log" source="List_Of_all_Groups_With_USers" SamAccountName=admin2 | sort SamAccountName | stats values("Group Name") by "SamAccountName"]
OR this one
index="role_log" source="List_Of_all_Groups_With_USers" (SamAccountName=admin1 OR SamAccountName=admin2) | sort SamAccountName | stats values("Group Name") by "SamAccountName"
But this display only groups for each user. in two lines.
But this don't indicate which groups is missing for admin1 or admin2, or also which group is added or not to each user.
Try this
index="role_log" source="List_Of_all_Groups_With_USers" (SamAccountName=admin1 OR SamAccountName=admin2) | chart dc over "Group Name" by SamAccountName | where NOT (admin1=admin2)
*OR*
index="role_log" source="List_Of_all_Groups_With_USers" (SamAccountName=admin1 OR SamAccountName=admin2) | chart dc over "Group Name" by SamAccountName | addtotals | where Total=1
Seems there is a statement error as chart dc over is not recognized
This works fine: