Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Another lookup question
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have this working:
| lookup SensitiveGroups.csv Target_Account_Name OUTPUT CSV_Priority | search CSV_Priority="Low" | table _time, Target_Account_Name, Member_ID, Caller_User_Name,CSV_Priority
SensitiveGroups.csv Below
Target_Account_Name,CSV_Priority
Administrators,Low
Domain Admins,Low
Now this will create a table that lists changes to Target_Account_Name field where it equals Administrators or Domain Admins.
This Works
But, I'm not doing a file/folder audit change one, based on other event codes, etc. where the path of the file being changed could be c:\blah\blah\example.txt, so I want to flag where field Object contains c:\blah\blah
I could obviously create a lookup file like this, which would tell me when an event pops up with the exact file path in:
Object,CSV_Priority
c:\blah\blah\example.txt,Low
Using similar rule as above, but it would miss c:\blah\blah\example2.txt, so I want to use a file like below where any object containing c:\blah\blah gets flagged and reported, so not an equals in the lookup, but a contains.
Object,CSV_Priority
c:\blah\blah,Low
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Use something like this which can take wild characters like * for a value in column in lookup table
so u can use this in lookup table
Object,Priority
C:/blah*,Low
And in transforms add
[SensitiveGroups]
filename = SensitiveGroups.csv
match_type = WILDCARD(Object)
case_sensitive_match = false
Then use query like this
lookup SensitiveGroups Target_Account_Name OUTPUT CSV_Priority | search CSV_Priority="Low" | table _time, Target_Account_Name, Member_ID, Caller_User_Name,CSV_Priority
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Use something like this which can take wild characters like * for a value in column in lookup table
so u can use this in lookup table
Object,Priority
C:/blah*,Low
And in transforms add
[SensitiveGroups]
filename = SensitiveGroups.csv
match_type = WILDCARD(Object)
case_sensitive_match = false
Then use query like this
lookup SensitiveGroups Target_Account_Name OUTPUT CSV_Priority | search CSV_Priority="Low" | table _time, Target_Account_Name, Member_ID, Caller_User_Name,CSV_Priority
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This is the search I used
index="windows_server_events" host="server1" EventCode=560 Type="audit success"
|
lookup FileChanges Object_Name OUTPUT csv_host, csv_name
|
search csv_name="*"
|
table _time,host,Object_Name,Client_User_Name,csv_name,csv_host
With this CSV
csv_host,csv_name,Object_Name
server1,folder change test,*E:\Inetpub\*
And this transforms
[FileChanges]
filename = FileChanges.csv
match_type = WILDCARD(Object_Name)
case_sensitive_match = false
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Works great, found I had to put this in though
search csv_name="*"
What are the reasons for using the transforms file rather than .csv in search like I was doing?
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas
What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)
Automating Threat Operations and Threat Hunting with Recorded Future
