Hi
I want to put the result of this command into a second one:
Actualy I extract the result into a csv file, and put the csv file as a lookup in an other command, like below.
(damtest2.cvs is the result of my first command)
How Can I proceed to avoir to pass throught a lookup ?
Regards
Hi @darphboubou,
please next time, copy your search in the Code Sample window so it's easier to answer copying your code.
Anyway, yes, you can put the first search as a subsearch of the second.
You have only to put attention to three points:
It's complicate to re write your search, anyway, you should have something like this:
<your_second_search> [ search <your_first_search> | fields Workstation_Name ]
| ...
Ciao.
Giuseppe
Hi @gcusello ,
Hi don't get it but here the codes.
REtrieve ntlmv1 request and add the field operating system to the result
index="windows" Authentication_Package=NTLM Account_Domain!="NT AUTHORITY" Package_Name__NTLM_only_="NTLM V1"
| join type=left Workstation_Name [ search index=bel_ldapsearch AND (type=server) | table name operatingSystem | rename name as Workstation_Name operatingSystem as os]
| eval AccountD=mvindex(Account_Domain,1) | eval AccountN=mvindex(Account_Name,1) | table AccountD,AccountN,Workstation_Name,Package_Name__NTLM_only_ os | rename Workstation_Name AS "Server", Package_Name__NTLM_only_ AS "NTLM Type" | where isnotnull(os)| dedup Server | sort Server
and second one:
index=windows EventCode=4624 [ | inputlookup damtest2.csv | rename Server AS Workstation_Name | fields Workstation_Name ]
| lookup damtest2.csv Server AS Workstation_Name OUTPUT os
| table Workstation_Name os Package_Name__NTLM_only_
| dedup Workstation_Name Package_Name__NTLM_only_
| sort Workstation_Name
| where Package_Name__NTLM_only_="NTLM V2"
Thanks for your help 🙂
Regards
Hi @darphboubou,
to execute the first search you don't need all the things you have in the lookup generation, so you should try something like this:
index=windows EventCode=4624 [ search index="windows" Authentication_Package=NTLM Account_Domain!="NT AUTHORITY" Package_Name__NTLM_only_="NTLM V1" | fields Workstation_Name ]
| lookup damtest2.csv Server AS Workstation_Name OUTPUT os
| table Workstation_Name os Package_Name__NTLM_only_
| dedup Workstation_Name Package_Name__NTLM_only_
| sort Workstation_Name
| where Package_Name__NTLM_only_="NTLM V2"
Ciao.
Giuseppe