https://community.splunk.com/t5/Splunk-Search/Search-for-user-additions-to-Active-Directory-privileged-groups/m-p/548319#M155529 <P>Nothing stands out as wrong with that search.&nbsp; I'd suggest reviewing the job inspector, maybe the keywords or remotesearch fields (Job -&gt; Inspect Job, expand search properties) - that should give you an idea if the subsearch is working as you expect.</P><P>I think a lookup is fine approach.&nbsp; If you have the ability, you could install the Lookup Editor app, which provides an excel-like experience for modifying lookups.&nbsp;</P><P>Or you could use the outputlookup command overwrite the lookup.&nbsp; Typically that would involve using inputlookup to get the events, using where/append/etc to modify the results, then using outputlookup to write it back.</P> Sat, 17 Apr 2021 13:26:39 GMT maciep 2021-04-17T13:26:39Z https://community.splunk.com/t5/Splunk-Search/Search-for-user-additions-to-Active-Directory-privileged-groups/m-p/547108#M155105 <P class="lia-align-left">I would like to run a query for any user additions to privileged Active Directory groups. I am storing the AD groups of interest in Lookup file titled&nbsp;<EM>DomainPrivilegedGroups.csv</EM>. The definition has also been defined with the same name of&nbsp;<EM>DomainPrivilegedGroups.csv.&nbsp;</EM>At this time, the Lookup file contains 16 rows and this is likely to grow in the future. The Lookup file contains one column titled&nbsp;<EM>GroupName</EM>.&nbsp;</P><P class="lia-align-left">My eventual search will look for any events where <EM>EventID=4728 OR EventID=4732 OR EventID=4756</EM>. For now, I'm just trying to get the basic search working and therefore I am running the below:&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><LI-CODE lang="markup">sourcetype="XmlWinEventLog" [ | inputlookup DomainPrivilegedGroups.csv | rename GroupName as Group_Name ]</LI-CODE><P>&nbsp;</P><P>&nbsp;</P><P>I'm performing the rename action because I know that the events store the group name in an attribute titled&nbsp;<EM>Group_Name</EM>.</P><P>I know that there are events containing one of the group names so I am expecting results to return.&nbsp;</P><P>Is there anything glaringly obvious I'm doing wrong here?&nbsp;</P><P>Another consideration is whether or not a Lookup file is the best option. From what I can see, there is no way to update a Lookup file and instead, when wanting to make any additions I would need to delete and re-create the Lookup file &amp; definition. Is this correct?&nbsp;</P><P>Thanks in advance!</P> Wed, 07 Apr 2021 21:11:15 GMT https://community.splunk.com/t5/Splunk-Search/Search-for-user-additions-to-Active-Directory-privileged-groups/m-p/547108#M155105 jlph 2021-04-07T21:11:15Z https://community.splunk.com/t5/Splunk-Search/Search-for-user-additions-to-Active-Directory-privileged-groups/m-p/548319#M155529 <P>Nothing stands out as wrong with that search.&nbsp; I'd suggest reviewing the job inspector, maybe the keywords or remotesearch fields (Job -&gt; Inspect Job, expand search properties) - that should give you an idea if the subsearch is working as you expect.</P><P>I think a lookup is fine approach.&nbsp; If you have the ability, you could install the Lookup Editor app, which provides an excel-like experience for modifying lookups.&nbsp;</P><P>Or you could use the outputlookup command overwrite the lookup.&nbsp; Typically that would involve using inputlookup to get the events, using where/append/etc to modify the results, then using outputlookup to write it back.</P> Sat, 17 Apr 2021 13:26:39 GMT https://community.splunk.com/t5/Splunk-Search/Search-for-user-additions-to-Active-Directory-privileged-groups/m-p/548319#M155529 maciep 2021-04-17T13:26:39Z