Security
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

domain account search using csv and event id

japonter
Explorer
‎07-06-2021 10:46 AM

Hi, i have been looking but cant seem to make much sense of it all.

im new to splunk. im trying to create a search and alert from a csv file, the csv fiel contains Domain Admin account and i wanted to creat a search for a numbers of eventid on those domain admin accounts.

index=win sourcetype=wineventlog EventCode=*the events im looking for* | inputlookup file.csv

 

but cant seem to make it work. any help would be great

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎07-06-2021 12:04 PM

"can't make it work" is not a great problem statement.  What results do you get and how do they compare to what you want to get?

The inputlookup command is a generating command so it has to be the first command in a search.  That's one reason the sample query doesn't work.

I suspect you're wanting to read the CSV and use the list of admin names to filter data in an index.  That's done using a subsearch.  In Splunk, a subsearch is identified by square brackets and executes first.  The output of the subsearch is appended to the main search before execution continues.  Try this example:

index=win sourcetype=wineventlog EventCode=*the events im looking for* [| inputlookup file.csv | format]

The inputlookup command is first command in a subsearch.  The subsearch runs, reads the file.csv then formats the results into the form "(admin=foo OR admin=bar OR admin=baz...)".  It's important for the field name read from the CSV to match a field name in the index used by the main search.  Use a rename in the subsearch to satisfy that requirement.

It should be noted that the phrase EventCode=*the events im looking for* needs to have a single value on the right hand side.  If you want to search for multiple event codes then use an OR expression or the IN operator.

index=win sourcetype=wineventlog (EventCode=4123 OR EventCode=4124)

index=win sourcetype=wineventlog EventCode IN (4123, 4124)
---
If this reply helps you, Karma would be appreciated.

View solution in original post

Reply
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎07-06-2021 12:04 PM

"can't make it work" is not a great problem statement.  What results do you get and how do they compare to what you want to get?

The inputlookup command is a generating command so it has to be the first command in a search.  That's one reason the sample query doesn't work.

I suspect you're wanting to read the CSV and use the list of admin names to filter data in an index.  That's done using a subsearch.  In Splunk, a subsearch is identified by square brackets and executes first.  The output of the subsearch is appended to the main search before execution continues.  Try this example:

index=win sourcetype=wineventlog EventCode=*the events im looking for* [| inputlookup file.csv | format]

The inputlookup command is first command in a subsearch.  The subsearch runs, reads the file.csv then formats the results into the form "(admin=foo OR admin=bar OR admin=baz...)".  It's important for the field name read from the CSV to match a field name in the index used by the main search.  Use a rename in the subsearch to satisfy that requirement.

It should be noted that the phrase EventCode=*the events im looking for* needs to have a single value on the right hand side.  If you want to search for multiple event codes then use an OR expression or the IN operator.

index=win sourcetype=wineventlog (EventCode=4123 OR EventCode=4124)

index=win sourcetype=wineventlog EventCode IN (4123, 4124)
---
If this reply helps you, Karma would be appreciated.
Reply
Solved! Jump to solution

japonter
Explorer
‎07-06-2021 12:42 PM

you are the man!!!

the search you provided and the information helped very much.

after reading what you said, i saw one problem and that the csv file the first line had to have the field i needed to compare with the logs. thats something i did have. the first line had a genered domain admin field, i had to change it yo Account_Name as a normal field seen in splunk for it to complete the search.

 

now im gonna try and finish the search with the eventcodes i need to monitor those accounts. i should be able to do this? add in the search specific event codes from windows to better refine the search.

0 Karma
Reply
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...