Security
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

domain account search using csv and event id

japonter
Explorer
‎07-06-2021 10:46 AM

Hi, i have been looking but cant seem to make much sense of it all.

im new to splunk. im trying to create a search and alert from a csv file, the csv fiel contains Domain Admin account and i wanted to creat a search for a numbers of eventid on those domain admin accounts.

index=win sourcetype=wineventlog EventCode=*the events im looking for* | inputlookup file.csv

 

but cant seem to make it work. any help would be great

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎07-06-2021 12:04 PM

"can't make it work" is not a great problem statement.  What results do you get and how do they compare to what you want to get?

The inputlookup command is a generating command so it has to be the first command in a search.  That's one reason the sample query doesn't work.

I suspect you're wanting to read the CSV and use the list of admin names to filter data in an index.  That's done using a subsearch.  In Splunk, a subsearch is identified by square brackets and executes first.  The output of the subsearch is appended to the main search before execution continues.  Try this example:

index=win sourcetype=wineventlog EventCode=*the events im looking for* [| inputlookup file.csv | format]

The inputlookup command is first command in a subsearch.  The subsearch runs, reads the file.csv then formats the results into the form "(admin=foo OR admin=bar OR admin=baz...)".  It's important for the field name read from the CSV to match a field name in the index used by the main search.  Use a rename in the subsearch to satisfy that requirement.

It should be noted that the phrase EventCode=*the events im looking for* needs to have a single value on the right hand side.  If you want to search for multiple event codes then use an OR expression or the IN operator.

index=win sourcetype=wineventlog (EventCode=4123 OR EventCode=4124)

index=win sourcetype=wineventlog EventCode IN (4123, 4124)
---
If this reply helps you, Karma would be appreciated.

View solution in original post

Reply
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎07-06-2021 12:04 PM

"can't make it work" is not a great problem statement.  What results do you get and how do they compare to what you want to get?

The inputlookup command is a generating command so it has to be the first command in a search.  That's one reason the sample query doesn't work.

I suspect you're wanting to read the CSV and use the list of admin names to filter data in an index.  That's done using a subsearch.  In Splunk, a subsearch is identified by square brackets and executes first.  The output of the subsearch is appended to the main search before execution continues.  Try this example:

index=win sourcetype=wineventlog EventCode=*the events im looking for* [| inputlookup file.csv | format]

The inputlookup command is first command in a subsearch.  The subsearch runs, reads the file.csv then formats the results into the form "(admin=foo OR admin=bar OR admin=baz...)".  It's important for the field name read from the CSV to match a field name in the index used by the main search.  Use a rename in the subsearch to satisfy that requirement.

It should be noted that the phrase EventCode=*the events im looking for* needs to have a single value on the right hand side.  If you want to search for multiple event codes then use an OR expression or the IN operator.

index=win sourcetype=wineventlog (EventCode=4123 OR EventCode=4124)

index=win sourcetype=wineventlog EventCode IN (4123, 4124)
---
If this reply helps you, Karma would be appreciated.
Reply
Solved! Jump to solution

japonter
Explorer
‎07-06-2021 12:42 PM

you are the man!!!

the search you provided and the information helped very much.

after reading what you said, i saw one problem and that the csv file the first line had to have the field i needed to compare with the logs. thats something i did have. the first line had a genered domain admin field, i had to change it yo Account_Name as a normal field seen in splunk for it to complete the search.

 

now im gonna try and finish the search with the eventcodes i need to monitor those accounts. i should be able to do this? add in the search specific event codes from windows to better refine the search.

0 Karma
Reply
Get Updates on the Splunk Community!

What’s New in Splunk Enterprise 9.4: Tools for Digital Resilience

What’s New in Splunk Enterprise 9.4: Tools for Digital ResilienceTune in to What’s New in Splunk Enterprise ...

Get Schooled with Splunk Education: Explore Our Latest Courses

At Splunk Education, we’re dedicated to providing incredible learning experiences that cater to every skill ...

Splunk AI Assistant for SPL | Key Use Cases to Unlock the Power of SPL

Splunk AI Assistant for SPL | Key Use Cases to Unlock the Power of SPL  The Splunk AI Assistant for SPL ...