Splunk Search

user name missing or exist in search

pr_blr
Explorer

I am reading user from lookup file and then searching a search and find the user list from lookup file and giving table as user and status missing or exist in search.
please suggest me what should be the efficient way of doing this.

Tags (1)
0 Karma
1 Solution

kml_uvce
Builder

there are 2 ways of doing this.
1) Use left join : <first search of lookuptable> left join <second search>
2) use transaction and append on user: <first search of lookuptable> |append <second search> |transaction user|use if condition to see any field of second search exist then make value as exist otherwise missing.

second way of doing is faster than first...

View solution in original post

0 Karma

kml_uvce
Builder

there are 2 ways of doing this.
1) Use left join : <first search of lookuptable> left join <second search>
2) use transaction and append on user: <first search of lookuptable> |append <second search> |transaction user|use if condition to see any field of second search exist then make value as exist otherwise missing.

second way of doing is faster than first...

0 Karma

pr_blr
Explorer

thanks second option works for me

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...