https://community.splunk.com/t5/Splunk-Search/Can-you-do-Splunk-Input-with-cv2/m-p/601596#M209369 <P>Thanks in Advance,&nbsp;</P> <P>I have a search setup to see whenever someone access's a certain document. This works just fine, the issue comes with the results. Looking at the Extracted Fields, i get the users "Sid" instead of their username. I do however have Splunk Supporting Add-On for Active Directory, and have it configured. I have a report that pulls a CSV (users.csv) that gives me everyones sAMAccountName as well as their SIDs' and puts it in the location of my Lookup Table.&nbsp;</P> <P>Trying to figure out how to get the |inputlookup&nbsp; &nbsp; &nbsp;to compair the search results Sid with my excel doc and give me the AccountName in that specific Row as well. Any help?</P> <P>&nbsp;</P> <P>I have this ( minus the output to create my users.csv)</P> <P>|ldapsearch search="(&amp;(objectclass=user)(!(objectClass=computer)))" attrs="userAccountControl,sAMAccountName,objectSid,displayName,givenName,sn,mail,telephoneNumber,mobile,manager,department,whenCreated,accountExpires"<BR />|makemv userAccountControl<BR />|search userAccountControl="NORMAL_ACCOUNT"<BR />|eval suffix=""<BR />|eval endDate=""<BR />|table sAMAccountName,objectSid,displayName,givenName,sn,whenCreated,</P> <P>&nbsp;</P> <P>and my main search</P> <P>source="WinEventLog:Microsoft-Windows-AppLocker/EXE and DLL" NOT %SYSTEM32*</P> <P>&nbsp;</P> <P>Just need a input to get my results Sid to look at the Excel find the SID in the "objectSid" ( column B ) and give me the sAMAccountName(columnA) into my search results...</P> <P>&nbsp;</P> <P>IF POSSIBLE!</P> Mon, 13 Jun 2022 20:34:11 GMT judges88 2022-06-13T20:34:11Z https://community.splunk.com/t5/Splunk-Search/Can-you-do-Splunk-Input-with-cv2/m-p/601596#M209369 <P>Thanks in Advance,&nbsp;</P> <P>I have a search setup to see whenever someone access's a certain document. This works just fine, the issue comes with the results. Looking at the Extracted Fields, i get the users "Sid" instead of their username. I do however have Splunk Supporting Add-On for Active Directory, and have it configured. I have a report that pulls a CSV (users.csv) that gives me everyones sAMAccountName as well as their SIDs' and puts it in the location of my Lookup Table.&nbsp;</P> <P>Trying to figure out how to get the |inputlookup&nbsp; &nbsp; &nbsp;to compair the search results Sid with my excel doc and give me the AccountName in that specific Row as well. Any help?</P> <P>&nbsp;</P> <P>I have this ( minus the output to create my users.csv)</P> <P>|ldapsearch search="(&amp;(objectclass=user)(!(objectClass=computer)))" attrs="userAccountControl,sAMAccountName,objectSid,displayName,givenName,sn,mail,telephoneNumber,mobile,manager,department,whenCreated,accountExpires"<BR />|makemv userAccountControl<BR />|search userAccountControl="NORMAL_ACCOUNT"<BR />|eval suffix=""<BR />|eval endDate=""<BR />|table sAMAccountName,objectSid,displayName,givenName,sn,whenCreated,</P> <P>&nbsp;</P> <P>and my main search</P> <P>source="WinEventLog:Microsoft-Windows-AppLocker/EXE and DLL" NOT %SYSTEM32*</P> <P>&nbsp;</P> <P>Just need a input to get my results Sid to look at the Excel find the SID in the "objectSid" ( column B ) and give me the sAMAccountName(columnA) into my search results...</P> <P>&nbsp;</P> <P>IF POSSIBLE!</P> Mon, 13 Jun 2022 20:34:11 GMT https://community.splunk.com/t5/Splunk-Search/Can-you-do-Splunk-Input-with-cv2/m-p/601596#M209369 judges88 2022-06-13T20:34:11Z https://community.splunk.com/t5/Splunk-Search/Can-you-do-Splunk-Input-with-cv2/m-p/601650#M209390 <P>Have you tried using the lookup command?</P><P><A href="https://docs.splunk.com/Documentation/Splunk/8.2.6/SearchReference/Lookup" target="_blank">lookup - Splunk Documentation</A></P> Tue, 14 Jun 2022 06:27:25 GMT https://community.splunk.com/t5/Splunk-Search/Can-you-do-Splunk-Input-with-cv2/m-p/601650#M209390 ITWhisperer 2022-06-14T06:27:25Z https://community.splunk.com/t5/Splunk-Search/Can-you-do-Splunk-Input-with-cv2/m-p/601717#M209426 <P><a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/225168">@ITWhisperer</a>&nbsp;</P><P>I did try and did read i just feel i may not be smart enough to understand this. I never needed to use this before so its all kinda new. Ill take a look at the docs again.&nbsp;</P> Tue, 14 Jun 2022 11:27:56 GMT https://community.splunk.com/t5/Splunk-Search/Can-you-do-Splunk-Input-with-cv2/m-p/601717#M209426 judges88 2022-06-14T11:27:56Z https://community.splunk.com/t5/Splunk-Search/Can-you-do-Splunk-Input-with-cv2/m-p/601719#M209428 <P>So i was able to figure it out after a few hours.... dont judge haha.... It was because my CSV with the info in it field was titled "objectSid" but the original output of the search field was just "sid" so as soon as i renamed the "sid" to match the csv "objectSid" in my lookup it worked right away....</P><P>&nbsp;</P><P>search here* | rename "Sid" as "objectSid" | lookup users1.csv objectSid OUTPUTNEW sAMAccountName | table Message, sAMAccountName</P> Tue, 14 Jun 2022 11:50:14 GMT https://community.splunk.com/t5/Splunk-Search/Can-you-do-Splunk-Input-with-cv2/m-p/601719#M209428 judges88 2022-06-14T11:50:14Z https://community.splunk.com/t5/Splunk-Search/Can-you-do-Splunk-Input-with-cv2/m-p/601726#M209429 <P>You can also do the "rename" as part of the lookup</P><LI-CODE lang="markup">search here* | lookup users1.csv objectSid AS Sid OUTPUTNEW sAMAccountName | table Message, sAMAccountName</LI-CODE> Tue, 14 Jun 2022 12:11:55 GMT https://community.splunk.com/t5/Splunk-Search/Can-you-do-Splunk-Input-with-cv2/m-p/601726#M209429 ITWhisperer 2022-06-14T12:11:55Z https://community.splunk.com/t5/Splunk-Search/Can-you-do-Splunk-Input-with-cv2/m-p/601733#M209430 <P><a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/225168">@ITWhisperer</a>&nbsp;</P><P>thatll make the search look better for sure. Thanks!</P> Tue, 14 Jun 2022 12:48:27 GMT https://community.splunk.com/t5/Splunk-Search/Can-you-do-Splunk-Input-with-cv2/m-p/601733#M209430 judges88 2022-06-14T12:48:27Z