https://community.splunk.com/t5/Splunk-Search/How-to-add-new-Lookup/m-p/611654#M212644 <P>I am working to leverage the below query for 'Stale Account Usage' from&nbsp;<A href="https://docs.splunksecurityessentials.com/content-detail/stale_account_usage/" target="_blank" rel="noopener">Splunk Security Essentials Docs</A>, which uses lookup "account_status_tracker".</P> <P>The&nbsp; 'How to Implement' guidance includes: "<SPAN>The only step you'll need to take is to create a lookup called account_status_tracker, and have authentication data in Common Information Model format. "&nbsp; </SPAN></P> <P><SPAN>From the "Add New" lookup webpage, it is not clear how I assign an appropriate "Lookup File" that will the necessary fields in CIM format. I have looked through Splunk docs and other likely resources, with no strong hits. I admit this is an area new to me.&nbsp; </SPAN></P> <P><SPAN>My question is: what steps do I need to take to define this lookup, including assigning an appropriate "Lookup File"?&nbsp; When I select existing authentication-related files as the "Lookup File", I receive error messages, for example:&nbsp; "Cannot find the destination field 'count' in the lookup table...</SPAN></P> <P>And leads greatly appreciated.&nbsp;</P> <LI-CODE lang="markup">index=* source="*WinEventLog:Security" action=success | stats count min(_time) as earliest max(_time) as latest by user | multireport [| stats values(*) as * by user | lookup account_status_tracker user OUTPUT count as prior_count earliest as prior_earliest latest as prior_latest | where prior_latest &lt; relative_time(now(), "-90d") | eval explanation="The last login from this user was " . (round( (earliest-prior_latest) / 3600/24, 2) ) . " days ago." | convert ctime(earliest) ctime(latest) ctime(prior_earliest) ctime(prior_latest) ] [| inputlookup append=t account_status_tracker | stats min(earliest) as earliest max(latest) as latest sum(count) as count by user | outputlookup account_status_tracker | where this_only_exists_to_update_the_lookup='so we will make sure there are no results'] </LI-CODE> Thu, 01 Sep 2022 18:29:04 GMT Sven1 2022-09-01T18:29:04Z https://community.splunk.com/t5/Splunk-Search/How-to-add-new-Lookup/m-p/611654#M212644 <P>I am working to leverage the below query for 'Stale Account Usage' from&nbsp;<A href="https://docs.splunksecurityessentials.com/content-detail/stale_account_usage/" target="_blank" rel="noopener">Splunk Security Essentials Docs</A>, which uses lookup "account_status_tracker".</P> <P>The&nbsp; 'How to Implement' guidance includes: "<SPAN>The only step you'll need to take is to create a lookup called account_status_tracker, and have authentication data in Common Information Model format. "&nbsp; </SPAN></P> <P><SPAN>From the "Add New" lookup webpage, it is not clear how I assign an appropriate "Lookup File" that will the necessary fields in CIM format. I have looked through Splunk docs and other likely resources, with no strong hits. I admit this is an area new to me.&nbsp; </SPAN></P> <P><SPAN>My question is: what steps do I need to take to define this lookup, including assigning an appropriate "Lookup File"?&nbsp; When I select existing authentication-related files as the "Lookup File", I receive error messages, for example:&nbsp; "Cannot find the destination field 'count' in the lookup table...</SPAN></P> <P>And leads greatly appreciated.&nbsp;</P> <LI-CODE lang="markup">index=* source="*WinEventLog:Security" action=success | stats count min(_time) as earliest max(_time) as latest by user | multireport [| stats values(*) as * by user | lookup account_status_tracker user OUTPUT count as prior_count earliest as prior_earliest latest as prior_latest | where prior_latest &lt; relative_time(now(), "-90d") | eval explanation="The last login from this user was " . (round( (earliest-prior_latest) / 3600/24, 2) ) . " days ago." | convert ctime(earliest) ctime(latest) ctime(prior_earliest) ctime(prior_latest) ] [| inputlookup append=t account_status_tracker | stats min(earliest) as earliest max(latest) as latest sum(count) as count by user | outputlookup account_status_tracker | where this_only_exists_to_update_the_lookup='so we will make sure there are no results'] </LI-CODE> Thu, 01 Sep 2022 18:29:04 GMT https://community.splunk.com/t5/Splunk-Search/How-to-add-new-Lookup/m-p/611654#M212644 Sven1 2022-09-01T18:29:04Z https://community.splunk.com/t5/Splunk-Search/How-to-add-new-Lookup/m-p/611694#M212661 <P>Usually, the first step to adding a lookup is to put a CSV file on the server in one of Splunk's 'lookups'&nbsp; directories.&nbsp; Then use the GUI to reference that file.</P><P>You also can use the Lookup File Editor app to create a new lookup file from the GUI.</P> Fri, 02 Sep 2022 00:21:59 GMT https://community.splunk.com/t5/Splunk-Search/How-to-add-new-Lookup/m-p/611694#M212661 richgalloway 2022-09-02T00:21:59Z https://community.splunk.com/t5/Splunk-Search/How-to-add-new-Lookup/m-p/611695#M212662 <P><a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/213957">@richgalloway</a>:&nbsp;Thank you.&nbsp; After reading the guidance,&nbsp;<SPAN>&nbsp;"</SPAN><SPAN>The only step you'll need to take is to create a lookup called account_status_tracker, and have authentication data in CIM format" I grabbed the current authentication CIM (<A href="https://docs.splunk.com/Documentation/CIM/latest/User/Authentication" target="_blank">Authentication - Splunk Documentation</A>), but then held off on pushing to create the lookup.&nbsp; For example, I noticed that while the lookup will attempt to OUTPUT field "count", the authentication CIM does not include a "count" field.&nbsp; So, I was just taking a step back and seeing if there is any other information needed to best implement this solution.&nbsp;</SPAN></P><P>Again, thank you.&nbsp;</P> Fri, 02 Sep 2022 02:08:20 GMT https://community.splunk.com/t5/Splunk-Search/How-to-add-new-Lookup/m-p/611695#M212662 Sven1 2022-09-02T02:08:20Z