Noob:Inputlookup match Security ID fileds

je13aier74 · ‎04-05-2019

Trying to use a CSV for inputlookup the username field should be Security_ID and there is only one column with the Security_ID in the CSV.

I just want my search results to show events that have the Security_IDs that are in the CSV. I'm a total noob so I'm very confused. Any assist would be greatly appreciated. I know this doesn't work below, but don't know why 🙂

| inputlookup departmentusers.csv
| fields Security_ID
| index="wineventlog" EventCode="4740" host="MyPDC"

je13aier74 · ‎04-05-2019

This failed to work for me. States "Error in 'lookup' command: Could not construct lookup 'departmentusers.csv, Security_ID, OUTPUTNEW'. See search.log for more details."

Everything I've seen shows that the InputLookup has to be first so it's confusing to say the least.

somesoni2 · ‎04-05-2019

Try like this

index="wineventlog" EventCode="4740" host="MyPDC" [| inputlookup departmentusers.csv | fields Security_ID]

starcher · ‎04-05-2019

Search then apply a lookup

index="wineventlog" EventCode="4740" host="MyPDC" | lookup departmentusers.csv Security_ID OUTPUTNEW

Noob:Inputlookup match Security ID fileds

Accelerating Observability as Code with the Splunk AI Assistant

Integrating Splunk Search API and Quarto to Create Reproducible Investigation ...

Congratulations to the 2025-2026 SplunkTrust!

Join the Conversation

Noob:Inputlookup match Security ID fileds

Accelerating Observability as Code with the Splunk AI Assistant

Integrating Splunk Search API and Quarto to Create Reproducible Investigation ...

Congratulations to the 2025-2026 SplunkTrust!