Splunk Cloud Platform
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Help with Palo Alto GlobalProtect and Inputlookup?

donaldwayne1975
Path Finder
‎05-19-2023 02:24 PM

Want to use a lookup file that has a list of specific user IDs to search the Palo Alto GlobalProtect logs and identify their VPN usage.  I am receiving an error "Error in 'table' command: Invalid argument: 'User=xyz'" when the rex is before the inputlookup.  I receive 0 results when the inputlookup is before the rex.  I know the rex works when run independently as a list of all the usernames are listed.  Greatly appreciate the help in advance.

 

index=* sourcetype="pan:globalprotect"
| rex field="user" "(?<user_domain>[^\\\\]+)\\\\(?<user_only>.+)" 
| eval User=case(user_only=="" AND user=="","unknown",isnotnull(user_only),user_only,1=1,user),"User Domain"=if(isnull(user_domain),"unknown",user_domain)
| table User
[| inputlookup lookupname.csv 
|rename ntid as "User"]
|table User

 

 

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎05-21-2023 12:28 PM

The error message is different, but the cause is the same.

To see what is happening, run the subsearch by itself with | format appended.

| inputlookup lookup.csv |rename ntid as "User" | format

You should get something like "User=foo OR User=bar OR User=baz".  Whatever you get, the exact string will be appended to the eval command and executed.  Since the result is not a series of assignments, an error is thrown.

In general, use caution with where you put subsearches.

In the typical case, this subsearch would be part of the base search, like this:

index=networking sourcetype="pan:globalprotect" [| inputlookup lookup.csv | rename ntid as "User"]
| rex field="user" "(?<user_domain>[^\\\\]+)\\\\(?<user_only>.+)"
| eval User=case(user_only=="" AND user=="","unknown",isnotnull(user_only),user_only,1=1,user)
| eval UserDomain=if(isnull(user_domain),"unknown",user_domain)
| table User

but that won't work because the User field doesn't exist until it is created in the first eval command.  Instead, try this alternative:

index=networking sourcetype="pan:globalprotect"
| rex field="user" "(?<user_domain>[^\\\\]+)\\\\(?<user_only>.+)"
| eval User=case(user_only=="" AND user=="","unknown",isnotnull(user_only),user_only,1=1,user)
| eval UserDomain=if(isnull(user_domain),"unknown",user_domain)
| where [| inputlookup lookup.csv |rename ntid as "User" | fields User ]
|table User
---
If this reply helps you, Karma would be appreciated.

View solution in original post

Reply
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎05-21-2023 12:28 PM

The error message is different, but the cause is the same.

To see what is happening, run the subsearch by itself with | format appended.

| inputlookup lookup.csv |rename ntid as "User" | format

You should get something like "User=foo OR User=bar OR User=baz".  Whatever you get, the exact string will be appended to the eval command and executed.  Since the result is not a series of assignments, an error is thrown.

In general, use caution with where you put subsearches.

In the typical case, this subsearch would be part of the base search, like this:

index=networking sourcetype="pan:globalprotect" [| inputlookup lookup.csv | rename ntid as "User"]
| rex field="user" "(?<user_domain>[^\\\\]+)\\\\(?<user_only>.+)"
| eval User=case(user_only=="" AND user=="","unknown",isnotnull(user_only),user_only,1=1,user)
| eval UserDomain=if(isnull(user_domain),"unknown",user_domain)
| table User

but that won't work because the User field doesn't exist until it is created in the first eval command.  Instead, try this alternative:

index=networking sourcetype="pan:globalprotect"
| rex field="user" "(?<user_domain>[^\\\\]+)\\\\(?<user_only>.+)"
| eval User=case(user_only=="" AND user=="","unknown",isnotnull(user_only),user_only,1=1,user)
| eval UserDomain=if(isnull(user_domain),"unknown",user_domain)
| where [| inputlookup lookup.csv |rename ntid as "User" | fields User ]
|table User
---
If this reply helps you, Karma would be appreciated.
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎05-19-2023 05:32 PM

The error comes from this statement

| table User
[| inputlookup lookupname.csv 
|rename ntid as "User"]

Since there is no pipe before the subsearch, its results become part of the table command.  That results in something like this:

| table User User=foo OR User=bar ...

which is not a valid table command.  Hence the error message.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Solved! Jump to solution

donaldwayne1975
Path Finder
‎05-19-2023 06:58 PM

Splunk tells me the expression is malformed for the evalcommand with the adjustment.

index=networking sourcetype="pan:globalprotect"
| rex field="user" "(?<user_domain>[^\\\\]+)\\\\(?<user_only>.+)"
| eval User=case(user_only=="" AND user=="","unknown",isnotnull(user_only),user_only,1=1,user)
| eval UserDomain=if(isnull(user_domain),"unknown",user_domain)
[| inputlookup lookup.csv |rename ntid as "User"]
|table User

 Maybe I am missing what you are recommending my end search look like.  

0 Karma
Reply
Get Updates on the Splunk Community!

Harnessing Splunk’s Federated Search for Amazon S3

Managing your data effectively often means balancing performance, costs, and compliance. Splunk’s Federated ...

Infographic provides the TL;DR for the 2024 Splunk Career Impact Report

We’ve been buzzing with excitement about the recent validation of Splunk Education! The 2024 Splunk Career ...

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...