Splunk Enterprise Security
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Correlation search using lookup table

tromero3
Path Finder
‎01-08-2020 09:19 AM

I have a lookup table that consists of AD groups with the fields Group, is_privileged, and Type. I need to create a correlation search that looks at my windows events for EventID=4728 OR EventID=4732 OR EventID=4756 and if the "Group_Name" field in the event matches the Group field in the lookup table, I want it to show results.

This is what I have but it is not showing the events that match. Any advice?

index=windows EventID=4728 OR EventID=4732 OR EventID=4756 | lookup AD_groups Group AS Group_Name OUTPUT is_privileged AS privileged | where is_privileged="True"

0 Karma
Reply

aberkow
Builder
‎01-08-2020 12:49 PM

index=windows EventID=4728 OR EventID=4732 OR EventID=4756 | lookup AD_groups Group AS Group_Name OUTPUT is_privileged AS privileged | where is_privileged="True"

I think you renamed is_privileged to privileged and then searched for is_privileged instead of privileged.

As a side note: debugging line by line is a really powerful way to figure out where your bugs are in Splunk code, since SPL is a unix based language the output of one search goes directly into the input of another. So to find a bug in the last pipe, go pipe by pipe until you find the bug. In your case, if you run the search just after the lookup command you would probably see values for privileged, which could clue that the values are there and the field name might be incorrect.

Hope this helps!

EDIT: I prefer search for string comparison, as that's it's core functionality and I'm less likely to hit a mismatch in comparisons. where is more commonly used for field comparisons, i.e. field1 = field2, field1 > field2 etc

0 Karma
Reply
Get Updates on the Splunk Community!

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...