Security
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

domain account search using csv and event id

japonter
Explorer
‎07-06-2021 10:46 AM

Hi, i have been looking but cant seem to make much sense of it all.

im new to splunk. im trying to create a search and alert from a csv file, the csv fiel contains Domain Admin account and i wanted to creat a search for a numbers of eventid on those domain admin accounts.

index=win sourcetype=wineventlog EventCode=*the events im looking for* | inputlookup file.csv

 

but cant seem to make it work. any help would be great

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎07-06-2021 12:04 PM

"can't make it work" is not a great problem statement.  What results do you get and how do they compare to what you want to get?

The inputlookup command is a generating command so it has to be the first command in a search.  That's one reason the sample query doesn't work.

I suspect you're wanting to read the CSV and use the list of admin names to filter data in an index.  That's done using a subsearch.  In Splunk, a subsearch is identified by square brackets and executes first.  The output of the subsearch is appended to the main search before execution continues.  Try this example:

index=win sourcetype=wineventlog EventCode=*the events im looking for* [| inputlookup file.csv | format]

The inputlookup command is first command in a subsearch.  The subsearch runs, reads the file.csv then formats the results into the form "(admin=foo OR admin=bar OR admin=baz...)".  It's important for the field name read from the CSV to match a field name in the index used by the main search.  Use a rename in the subsearch to satisfy that requirement.

It should be noted that the phrase EventCode=*the events im looking for* needs to have a single value on the right hand side.  If you want to search for multiple event codes then use an OR expression or the IN operator.

index=win sourcetype=wineventlog (EventCode=4123 OR EventCode=4124)

index=win sourcetype=wineventlog EventCode IN (4123, 4124)
---
If this reply helps you, Karma would be appreciated.

View solution in original post

Reply
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎07-06-2021 12:04 PM

"can't make it work" is not a great problem statement.  What results do you get and how do they compare to what you want to get?

The inputlookup command is a generating command so it has to be the first command in a search.  That's one reason the sample query doesn't work.

I suspect you're wanting to read the CSV and use the list of admin names to filter data in an index.  That's done using a subsearch.  In Splunk, a subsearch is identified by square brackets and executes first.  The output of the subsearch is appended to the main search before execution continues.  Try this example:

index=win sourcetype=wineventlog EventCode=*the events im looking for* [| inputlookup file.csv | format]

The inputlookup command is first command in a subsearch.  The subsearch runs, reads the file.csv then formats the results into the form "(admin=foo OR admin=bar OR admin=baz...)".  It's important for the field name read from the CSV to match a field name in the index used by the main search.  Use a rename in the subsearch to satisfy that requirement.

It should be noted that the phrase EventCode=*the events im looking for* needs to have a single value on the right hand side.  If you want to search for multiple event codes then use an OR expression or the IN operator.

index=win sourcetype=wineventlog (EventCode=4123 OR EventCode=4124)

index=win sourcetype=wineventlog EventCode IN (4123, 4124)
---
If this reply helps you, Karma would be appreciated.
Reply
Solved! Jump to solution

japonter
Explorer
‎07-06-2021 12:42 PM

you are the man!!!

the search you provided and the information helped very much.

after reading what you said, i saw one problem and that the csv file the first line had to have the field i needed to compare with the logs. thats something i did have. the first line had a genered domain admin field, i had to change it yo Account_Name as a normal field seen in splunk for it to complete the search.

 

now im gonna try and finish the search with the eventcodes i need to monitor those accounts. i should be able to do this? add in the search specific event codes from windows to better refine the search.

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Get Updates on the Splunk Community!

Tech Talk Recap | Mastering Threat Hunting

Mastering Threat HuntingDive into the world of threat hunting, exploring the key differences between ...

Observability for AI Applications: Troubleshooting Latency

If you’re working with proprietary company data, you’re probably going to have a locally hosted LLM or many ...

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?

In the age of AI, every tool promises to make our lives easier. From summarizing content to writing code, ...