Security

domain account search using csv and event id

japonter
Explorer

Hi, i have been looking but cant seem to make much sense of it all.

im new to splunk. im trying to create a search and alert from a csv file, the csv fiel contains Domain Admin account and i wanted to creat a search for a numbers of eventid on those domain admin accounts.

index=win sourcetype=wineventlog EventCode=*the events im looking for* | inputlookup file.csv

 

but cant seem to make it work. any help would be great

0 Karma
1 Solution

richgalloway
SplunkTrust
SplunkTrust

"can't make it work" is not a great problem statement.  What results do you get and how do they compare to what you want to get?

The inputlookup command is a generating command so it has to be the first command in a search.  That's one reason the sample query doesn't work.

I suspect you're wanting to read the CSV and use the list of admin names to filter data in an index.  That's done using a subsearch.  In Splunk, a subsearch is identified by square brackets and executes first.  The output of the subsearch is appended to the main search before execution continues.  Try this example:

index=win sourcetype=wineventlog EventCode=*the events im looking for* [| inputlookup file.csv | format]

The inputlookup command is first command in a subsearch.  The subsearch runs, reads the file.csv then formats the results into the form "(admin=foo OR admin=bar OR admin=baz...)".  It's important for the field name read from the CSV to match a field name in the index used by the main search.  Use a rename in the subsearch to satisfy that requirement.

It should be noted that the phrase EventCode=*the events im looking for* needs to have a single value on the right hand side.  If you want to search for multiple event codes then use an OR expression or the IN operator.

index=win sourcetype=wineventlog (EventCode=4123 OR EventCode=4124)

index=win sourcetype=wineventlog EventCode IN (4123, 4124)
---
If this reply helps you, Karma would be appreciated.

View solution in original post

richgalloway
SplunkTrust
SplunkTrust

"can't make it work" is not a great problem statement.  What results do you get and how do they compare to what you want to get?

The inputlookup command is a generating command so it has to be the first command in a search.  That's one reason the sample query doesn't work.

I suspect you're wanting to read the CSV and use the list of admin names to filter data in an index.  That's done using a subsearch.  In Splunk, a subsearch is identified by square brackets and executes first.  The output of the subsearch is appended to the main search before execution continues.  Try this example:

index=win sourcetype=wineventlog EventCode=*the events im looking for* [| inputlookup file.csv | format]

The inputlookup command is first command in a subsearch.  The subsearch runs, reads the file.csv then formats the results into the form "(admin=foo OR admin=bar OR admin=baz...)".  It's important for the field name read from the CSV to match a field name in the index used by the main search.  Use a rename in the subsearch to satisfy that requirement.

It should be noted that the phrase EventCode=*the events im looking for* needs to have a single value on the right hand side.  If you want to search for multiple event codes then use an OR expression or the IN operator.

index=win sourcetype=wineventlog (EventCode=4123 OR EventCode=4124)

index=win sourcetype=wineventlog EventCode IN (4123, 4124)
---
If this reply helps you, Karma would be appreciated.

japonter
Explorer

you are the man!!!

the search you provided and the information helped very much.

after reading what you said, i saw one problem and that the csv file the first line had to have the field i needed to compare with the logs. thats something i did have. the first line had a genered domain admin field, i had to change it yo Account_Name as a normal field seen in splunk for it to complete the search.

 

now im gonna try and finish the search with the eventcodes i need to monitor those accounts. i should be able to do this? add in the search specific event codes from windows to better refine the search.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...