Splunk Cloud Platform

Help with Palo Alto GlobalProtect and Inputlookup?

donaldwayne1975
Path Finder

Want to use a lookup file that has a list of specific user IDs to search the Palo Alto GlobalProtect logs and identify their VPN usage.  I am receiving an error "Error in 'table' command: Invalid argument: 'User=xyz'" when the rex is before the inputlookup.  I receive 0 results when the inputlookup is before the rex.  I know the rex works when run independently as a list of all the usernames are listed.  Greatly appreciate the help in advance.

 

index=* sourcetype="pan:globalprotect"
| rex field="user" "(?<user_domain>[^\\\\]+)\\\\(?<user_only>.+)" 
| eval User=case(user_only=="" AND user=="","unknown",isnotnull(user_only),user_only,1=1,user),"User Domain"=if(isnull(user_domain),"unknown",user_domain)
| table User
[| inputlookup lookupname.csv 
|rename ntid as "User"]
|table User

 

 

Labels (1)
0 Karma
1 Solution

richgalloway
SplunkTrust
SplunkTrust

The error message is different, but the cause is the same.

To see what is happening, run the subsearch by itself with | format appended.

| inputlookup lookup.csv |rename ntid as "User" | format

You should get something like "User=foo OR User=bar OR User=baz".  Whatever you get, the exact string will be appended to the eval command and executed.  Since the result is not a series of assignments, an error is thrown.

In general, use caution with where you put subsearches.

In the typical case, this subsearch would be part of the base search, like this:

index=networking sourcetype="pan:globalprotect" [| inputlookup lookup.csv | rename ntid as "User"]
| rex field="user" "(?<user_domain>[^\\\\]+)\\\\(?<user_only>.+)"
| eval User=case(user_only=="" AND user=="","unknown",isnotnull(user_only),user_only,1=1,user)
| eval UserDomain=if(isnull(user_domain),"unknown",user_domain)
| table User

but that won't work because the User field doesn't exist until it is created in the first eval command.  Instead, try this alternative:

index=networking sourcetype="pan:globalprotect"
| rex field="user" "(?<user_domain>[^\\\\]+)\\\\(?<user_only>.+)"
| eval User=case(user_only=="" AND user=="","unknown",isnotnull(user_only),user_only,1=1,user)
| eval UserDomain=if(isnull(user_domain),"unknown",user_domain)
| where [| inputlookup lookup.csv |rename ntid as "User" | fields User ]
|table User
---
If this reply helps you, Karma would be appreciated.

View solution in original post

richgalloway
SplunkTrust
SplunkTrust

The error message is different, but the cause is the same.

To see what is happening, run the subsearch by itself with | format appended.

| inputlookup lookup.csv |rename ntid as "User" | format

You should get something like "User=foo OR User=bar OR User=baz".  Whatever you get, the exact string will be appended to the eval command and executed.  Since the result is not a series of assignments, an error is thrown.

In general, use caution with where you put subsearches.

In the typical case, this subsearch would be part of the base search, like this:

index=networking sourcetype="pan:globalprotect" [| inputlookup lookup.csv | rename ntid as "User"]
| rex field="user" "(?<user_domain>[^\\\\]+)\\\\(?<user_only>.+)"
| eval User=case(user_only=="" AND user=="","unknown",isnotnull(user_only),user_only,1=1,user)
| eval UserDomain=if(isnull(user_domain),"unknown",user_domain)
| table User

but that won't work because the User field doesn't exist until it is created in the first eval command.  Instead, try this alternative:

index=networking sourcetype="pan:globalprotect"
| rex field="user" "(?<user_domain>[^\\\\]+)\\\\(?<user_only>.+)"
| eval User=case(user_only=="" AND user=="","unknown",isnotnull(user_only),user_only,1=1,user)
| eval UserDomain=if(isnull(user_domain),"unknown",user_domain)
| where [| inputlookup lookup.csv |rename ntid as "User" | fields User ]
|table User
---
If this reply helps you, Karma would be appreciated.

richgalloway
SplunkTrust
SplunkTrust

The error comes from this statement

| table User
[| inputlookup lookupname.csv 
|rename ntid as "User"]

Since there is no pipe before the subsearch, its results become part of the table command.  That results in something like this:

| table User User=foo OR User=bar ...

which is not a valid table command.  Hence the error message.

---
If this reply helps you, Karma would be appreciated.
0 Karma

donaldwayne1975
Path Finder

Splunk tells me the expression is malformed for the evalcommand with the adjustment.

index=networking sourcetype="pan:globalprotect"
| rex field="user" "(?<user_domain>[^\\\\]+)\\\\(?<user_only>.+)"
| eval User=case(user_only=="" AND user=="","unknown",isnotnull(user_only),user_only,1=1,user)
| eval UserDomain=if(isnull(user_domain),"unknown",user_domain)
[| inputlookup lookup.csv |rename ntid as "User"]
|table User

 Maybe I am missing what you are recommending my end search look like.  

0 Karma
Get Updates on the Splunk Community!

Changes to Splunk Instructor-Led Training Completion Criteria

We’re excited to share an update to our instructor-led training program that enhances the learning experience ...

Stay Connected: Your Guide to January Tech Talks, Office Hours, and Webinars!

❄️ Welcome the new year with our January lineup of Community Office Hours, Tech Talks, and Webinars! &#x1f389; ...

Preparing your Splunk Environment for OpenSSL3

The Splunk platform will transition to OpenSSL version 3 in a future release. Actions are required to prepare ...