Solved: Assuming implicit lookup table with filename blah....

mpatnode · ‎09-23-2010

Why do I get this message?

Assuming implicit lookup table with filename sidtodn.csv

It seemed to me that I was fairly explicit about the lookup table:

Here's my search:

sourcetype="WinEventLog:Security" CategoryString="Directory Service Access" Accesses="Create Child"
| rename Additional_Info AS DN
| dedup DN
| join  usetime=true earlier=false  DN [search sourcetype=activedirectory admonEventType="update" displayName="$CimsUser*" | rename distinguishedName AS DN ]
| lookup sidtodn.csv objectSid as parentLink OUTPUT distinguishedName AS parent
| table parent name uid gid home unix_enabled User

Note, I'm having to join on DN's because GUID and SID output is broken in 4.1.5.

Stephen_Sorkin · ‎09-23-2010

The easiest way to get rid of this message is to define the lookup in transforms.conf. For example:

[sidtodn]
filename = sidtodn.csv

Then you can refer to the lookup as lookup sidtodn ....

View solution in original post

Stephen_Sorkin · ‎09-23-2010

The easiest way to get rid of this message is to define the lookup in transforms.conf. For example:

[sidtodn]
filename = sidtodn.csv

Then you can refer to the lookup as lookup sidtodn ....

mpatnode · ‎11-03-2010

Thanks. That worked, but I strongly question the value of that error message.

Assuming implicit lookup table with filename blah.csv

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Automating Threat Operations and Threat Hunting with Recorded Future

Join the Conversation