Trying to use a CSV for inputlookup the username field should be Security_ID and there is only one column with the Security_ID in the CSV.
I just want my search results to show events that have the Security_IDs that are in the CSV. I'm a total noob so I'm very confused. Any assist would be greatly appreciated. I know this doesn't work below, but don't know why 🙂
| inputlookup departmentusers.csv
| fields Security_ID
| index="wineventlog" EventCode="4740" host="MyPDC"
This failed to work for me. States "Error in 'lookup' command: Could not construct lookup 'departmentusers.csv, Security_ID, OUTPUTNEW'. See search.log for more details."
Everything I've seen shows that the InputLookup has to be first so it's confusing to say the least.
Try like this
index="wineventlog" EventCode="4740" host="MyPDC" [| inputlookup departmentusers.csv | fields Security_ID]
Search then apply a lookup
index="wineventlog" EventCode="4740" host="MyPDC" | lookup departmentusers.csv Security_ID OUTPUTNEW