Splunk Search

Assuming implicit lookup table with filename blah.csv

mpatnode
Path Finder

Why do I get this message?

Assuming implicit lookup table with filename sidtodn.csv

It seemed to me that I was fairly explicit about the lookup table:

Here's my search:

sourcetype="WinEventLog:Security" CategoryString="Directory Service Access" Accesses="Create Child"
| rename Additional_Info AS DN
| dedup DN
| join  usetime=true earlier=false  DN [search sourcetype=activedirectory admonEventType="update" displayName="$CimsUser*" | rename distinguishedName AS DN ]
| lookup sidtodn.csv objectSid as parentLink OUTPUT distinguishedName AS parent
| table parent name uid gid home unix_enabled User

Note, I'm having to join on DN's because GUID and SID output is broken in 4.1.5.

Tags (1)
0 Karma
1 Solution

Stephen_Sorkin
Splunk Employee
Splunk Employee

The easiest way to get rid of this message is to define the lookup in transforms.conf. For example:

[sidtodn]
filename = sidtodn.csv

Then you can refer to the lookup as lookup sidtodn ....

View solution in original post

Stephen_Sorkin
Splunk Employee
Splunk Employee

The easiest way to get rid of this message is to define the lookup in transforms.conf. For example:

[sidtodn]
filename = sidtodn.csv

Then you can refer to the lookup as lookup sidtodn ....

mpatnode
Path Finder

Thanks. That worked, but I strongly question the value of that error message.

Get Updates on the Splunk Community!

See just what you’ve been missing | Observability tracks at Splunk University

Looking to sharpen your observability skills so you can better understand how to collect and analyze data from ...

Weezer at .conf25? Say it ain’t so!

Hello Splunkers, The countdown to .conf25 is on-and we've just turned up the volume! We're thrilled to ...

How SC4S Makes Suricata Logs Ingestion Simple

Network security monitoring has become increasingly critical for organizations of all sizes. Splunk has ...