Hey everyone,
I have a list that contains usernames and Countries.
The name of the list is user1.csv and its added in the lookup table files.
Cisco_ASA_user,Country
user1,United States
user2,United States
User3,United states
The countries are the locations that a user supposed to login from all the times.
I want to create a search that will compare the country of the user who logged in with the country on the list and shows me the result if it is not a match.
Let's say user1 supposed to login from the United States all the time, but for some reason, the country has changed to England.
This is my search so far:
index=cisco_asa vendor_class="aaa/auth" Cisco_ASA_message_id=113039
| iplocation src_ip
| table Cisco_ASA_user , Country | rename Cisco_ASA_user AS username Country AS Origin
This will give me the username and the country.
I don't know how to compare the Origin and username field values from my search with the values from |inputlookup user1.csv | fields Cisco_ASA_user Country.
Basically, I want to see the results where username=Cisco_ASA_user AND Origin!=Country
Any ideas of how to make this work?
↧