I have a lookup table with a list of usernames that have logged in to a website last year in 2015, and I'm trying to match logins from another search with any usernames that exist in that lookup table for the past 30 days.
I tried the below search, but it doesn't quite work as expected... well, it produces an output but only for the current "today"... and I know the matched list should be much greater.
The 2015LoginReport.csv lookup contains only a single column of username which matches the format of the index=web sourcetype=login search, and i'm able to run a | inputlookup 2015LoginReport.csv which shows the list... so there are no issues with the CSV.
index=web sourcetype=login
earliest=-31d@d latest=@d
| bucket span=1m _time
| join username
[
| inputlookup 2015LoginReport.csv
]
| stats count by _time username
Thank you in advance!
↧