Hi all,
Here is my problem : on the one hand I have a lookup which is a list of group names.
On the other hand, I have logs generated when someone establishes a connexion to my bastion, and the logs give me the user's group.
I want to determine if some of my groups are useless (therefore never used).
So I am trying to join my research with my lookup, and I want to see which lines of the lookup has no match.
Here is my command :
sourcetype="bastion" | stats count by user_group | lookup Group_Names.csv "Group" as "user_group" OUTPUT "Group" | fillnull count
But as a result, I only get the lines that actually matched with a log.
Am I taking this problem the right way ? Is it even possible to do this ?
Thanks for your help :)
↧