Re: Lookup File Lookup in props\transform

pfabrizi · ‎11-15-2018

We are using graylog to forward windows security events to SPLUNK, since we are using Enterprise Security and COM and we worked with SPLUNK PS to basically remap the fields from winlogbeat_ to format needed by the SPLUNK_TA_windows app. We have these working but are struggling with 1 lookup.

The field is 'action' with a value of "Action Success" or "Action Failure". However, when graylog sends it as [Action Success] or [Action Failure]. We changed the lookups file from splunk_ta_windows to [Action Success], success or [Action Failure],failure.

It doesn't appear to pull this from the lookup table. Is there a particular format when prefaced with a special character?

Here is what I tried:

[audit failure],failure
[Audit Failure],failure
"[AUDIT_FAILURE]",failure

Thanks!

Not sure if this is conflicting with the TA_Windows lookup or not, when I look at a btool I see that mine loaded, but I would think if I was using that one it would have broken the events coming in over the SPLUNK UF.

FrankVl · ‎11-16-2018

Can you not update your extractions to strip off those square brackets before the lookup is applied?

pfabrizi · ‎11-19-2018

Thanks Frank, I did try that but was not successful. What my issue was the Splunk_TA_windows lookup was taking precedence so I just called it another name it works.

Lookup File Lookup in props\transform

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

Splunk Community Badges!

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

Join the Conversation