- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi, i have been looking but cant seem to make much sense of it all.
im new to splunk. im trying to create a search and alert from a csv file, the csv fiel contains Domain Admin account and i wanted to creat a search for a numbers of eventid on those domain admin accounts.
index=win sourcetype=wineventlog EventCode=*the events im looking for* | inputlookup file.csv
but cant seem to make it work. any help would be great
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
"can't make it work" is not a great problem statement. What results do you get and how do they compare to what you want to get?
The inputlookup command is a generating command so it has to be the first command in a search. That's one reason the sample query doesn't work.
I suspect you're wanting to read the CSV and use the list of admin names to filter data in an index. That's done using a subsearch. In Splunk, a subsearch is identified by square brackets and executes first. The output of the subsearch is appended to the main search before execution continues. Try this example:
index=win sourcetype=wineventlog EventCode=*the events im looking for* [| inputlookup file.csv | format]The inputlookup command is first command in a subsearch. The subsearch runs, reads the file.csv then formats the results into the form "(admin=foo OR admin=bar OR admin=baz...)". It's important for the field name read from the CSV to match a field name in the index used by the main search. Use a rename in the subsearch to satisfy that requirement.
It should be noted that the phrase EventCode=*the events im looking for* needs to have a single value on the right hand side. If you want to search for multiple event codes then use an OR expression or the IN operator.
index=win sourcetype=wineventlog (EventCode=4123 OR EventCode=4124)
index=win sourcetype=wineventlog EventCode IN (4123, 4124)If this reply helps you, Karma would be appreciated.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
"can't make it work" is not a great problem statement. What results do you get and how do they compare to what you want to get?
The inputlookup command is a generating command so it has to be the first command in a search. That's one reason the sample query doesn't work.
I suspect you're wanting to read the CSV and use the list of admin names to filter data in an index. That's done using a subsearch. In Splunk, a subsearch is identified by square brackets and executes first. The output of the subsearch is appended to the main search before execution continues. Try this example:
index=win sourcetype=wineventlog EventCode=*the events im looking for* [| inputlookup file.csv | format]The inputlookup command is first command in a subsearch. The subsearch runs, reads the file.csv then formats the results into the form "(admin=foo OR admin=bar OR admin=baz...)". It's important for the field name read from the CSV to match a field name in the index used by the main search. Use a rename in the subsearch to satisfy that requirement.
It should be noted that the phrase EventCode=*the events im looking for* needs to have a single value on the right hand side. If you want to search for multiple event codes then use an OR expression or the IN operator.
index=win sourcetype=wineventlog (EventCode=4123 OR EventCode=4124)
index=win sourcetype=wineventlog EventCode IN (4123, 4124)If this reply helps you, Karma would be appreciated.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
you are the man!!!
the search you provided and the information helped very much.
after reading what you said, i saw one problem and that the csv file the first line had to have the field i needed to compare with the logs. thats something i did have. the first line had a genered domain admin field, i had to change it yo Account_Name as a normal field seen in splunk for it to complete the search.
now im gonna try and finish the search with the eventcodes i need to monitor those accounts. i should be able to do this? add in the search specific event codes from windows to better refine the search.
