https://community.splunk.com/t5/Splunk-Search/Populate-field-based-on-subsearch/m-p/392151#M114136 <P>IMO, a single ldapsearch query to populate the helpdesk.csv file would be more performant than a separate ldapsearch for each row found in the security index each time this query runs. Your AD admin will appreciate it.</P> Wed, 20 Feb 2019 13:59:27 GMT richgalloway 2019-02-20T13:59:27Z https://community.splunk.com/t5/Splunk-Search/Populate-field-based-on-subsearch/m-p/392150#M114135 <P>I have a Splunk query that parses out some Windows event log data. One of the things that I examine is the user name mentioned in the event to see if they are in a lookup file. Something like:</P> <PRE><CODE>index=security EventCode=5136 | AdminName=AccountName | lookup helpdesk.csv AdminName OUTPUT AdminName AS HelpDesk | eval IsHelpDesk = if (match(HelpDesk,"^\w+"),"TRUE","FALSE") | table _time,AdminName,IsHelpDesk,User,OtherStuff </CODE></PRE> <P>I generate the contents of helpdesk.csv ever morning (it's an ldapsearch that pulls the membership of some groups).</P> <P>I am wondering if there is a way to do the above search without generating the helpdesk.csv lookup file every day and instead populate TRUE or FALSE for IsHelpDesk based on a subsearch (that uses ldapsearch to see if the user is a member of a group) to create a temporary lookup table so it can all be done in a single search?</P> Wed, 20 Feb 2019 12:38:39 GMT https://community.splunk.com/t5/Splunk-Search/Populate-field-based-on-subsearch/m-p/392150#M114135 evetsleep 2019-02-20T12:38:39Z https://community.splunk.com/t5/Splunk-Search/Populate-field-based-on-subsearch/m-p/392151#M114136 <P>IMO, a single ldapsearch query to populate the helpdesk.csv file would be more performant than a separate ldapsearch for each row found in the security index each time this query runs. Your AD admin will appreciate it.</P> Wed, 20 Feb 2019 13:59:27 GMT https://community.splunk.com/t5/Splunk-Search/Populate-field-based-on-subsearch/m-p/392151#M114136 richgalloway 2019-02-20T13:59:27Z https://community.splunk.com/t5/Splunk-Search/Populate-field-based-on-subsearch/m-p/392152#M114137 <P>Yeah I am kind of hoping of a way to do it as a one-time thing (at that moment), but as part of a search. So generate a look up table and reference that table in the same search.</P> Wed, 20 Feb 2019 14:03:46 GMT https://community.splunk.com/t5/Splunk-Search/Populate-field-based-on-subsearch/m-p/392152#M114137 evetsleep 2019-02-20T14:03:46Z https://community.splunk.com/t5/Splunk-Search/Populate-field-based-on-subsearch/m-p/392153#M114138 <P>Why? Doing so mean you'll be hitting the LDAP server each time the search runs instead of once each day to build the lookup file.</P> Fri, 22 Feb 2019 13:31:23 GMT https://community.splunk.com/t5/Splunk-Search/Populate-field-based-on-subsearch/m-p/392153#M114138 richgalloway 2019-02-22T13:31:23Z https://community.splunk.com/t5/Splunk-Search/Populate-field-based-on-subsearch/m-p/392154#M114139 <P>If you have Splunk Enterprise, the users can be part of asset/identity lookups/KV store and the user fields will be auto extracted for you. In the absense of ES, your best would be to run a LDAP search each day or twice each day and update the single lookup and may be make it automated lookup?</P> Thu, 28 Feb 2019 09:22:24 GMT https://community.splunk.com/t5/Splunk-Search/Populate-field-based-on-subsearch/m-p/392154#M114139 lakshman239 2019-02-28T09:22:24Z