Splunk Enterprise Security
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Correlation search using lookup table

tromero3
Path Finder
‎01-08-2020 09:19 AM

I have a lookup table that consists of AD groups with the fields Group, is_privileged, and Type. I need to create a correlation search that looks at my windows events for EventID=4728 OR EventID=4732 OR EventID=4756 and if the "Group_Name" field in the event matches the Group field in the lookup table, I want it to show results.

This is what I have but it is not showing the events that match. Any advice?

index=windows EventID=4728 OR EventID=4732 OR EventID=4756 | lookup AD_groups Group AS Group_Name OUTPUT is_privileged AS privileged | where is_privileged="True"

0 Karma
Reply

aberkow
Builder
‎01-08-2020 12:49 PM

index=windows EventID=4728 OR EventID=4732 OR EventID=4756 | lookup AD_groups Group AS Group_Name OUTPUT is_privileged AS privileged | where is_privileged="True"

I think you renamed is_privileged to privileged and then searched for is_privileged instead of privileged.

As a side note: debugging line by line is a really powerful way to figure out where your bugs are in Splunk code, since SPL is a unix based language the output of one search goes directly into the input of another. So to find a bug in the last pipe, go pipe by pipe until you find the bug. In your case, if you run the search just after the lookup command you would probably see values for privileged, which could clue that the values are there and the field name might be incorrect.

Hope this helps!

EDIT: I prefer search for string comparison, as that's it's core functionality and I'm less likely to hit a mismatch in comparisons. where is more commonly used for field comparisons, i.e. field1 = field2, field1 > field2 etc

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas     Cisco Live 2026 is almost here, and this ...

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Hello Splunkers,   So you searched, “what is the name of the usb key inserted by bob smith?”  Not gonna lie… ...

Automating Threat Operations and Threat Hunting with Recorded Future

    Automating Threat Operations and Threat Hunting with Recorded Future June 29, 2026 | Register   Is your ...