Solved: Assuming implicit lookup table with filename blah....

mpatnode · ‎09-23-2010

Why do I get this message?

Assuming implicit lookup table with filename sidtodn.csv

It seemed to me that I was fairly explicit about the lookup table:

Here's my search:

sourcetype="WinEventLog:Security" CategoryString="Directory Service Access" Accesses="Create Child"
| rename Additional_Info AS DN
| dedup DN
| join  usetime=true earlier=false  DN [search sourcetype=activedirectory admonEventType="update" displayName="$CimsUser*" | rename distinguishedName AS DN ]
| lookup sidtodn.csv objectSid as parentLink OUTPUT distinguishedName AS parent
| table parent name uid gid home unix_enabled User

Note, I'm having to join on DN's because GUID and SID output is broken in 4.1.5.

Stephen_Sorkin · ‎09-23-2010

The easiest way to get rid of this message is to define the lookup in transforms.conf. For example:

[sidtodn]
filename = sidtodn.csv

Then you can refer to the lookup as lookup sidtodn ....

View solution in original post

Stephen_Sorkin · ‎09-23-2010

The easiest way to get rid of this message is to define the lookup in transforms.conf. For example:

[sidtodn]
filename = sidtodn.csv

Then you can refer to the lookup as lookup sidtodn ....

mpatnode · ‎11-03-2010

Thanks. That worked, but I strongly question the value of that error message.

Assuming implicit lookup table with filename blah.csv

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!