Solved: Best way to dump Azure UPNs into scheduled lookup.

fdevera · ‎02-16-2021

I'm trying to dump this info into a scheduled lookup but these are just azuread UPNs that are appearing in the logs for whatever search time it's set to. How do I efficiently get ALL UPNs that are in this rex format regardless of log time?

index=azuread
| rex field=initiatedBy.user.userPrincipalName "ex(?<GUID>\d+)z\@"
| search GUID=*
| dedup initiatedBy.user.userPrincipalName
| table initiatedBy.user.userPrincipalName, GUID
| outputlookup zguids.csv

tscroggins · ‎02-20-2021

@fdevera

A typical recurring lookup generator would append to the existing lookup:

The initial lookup can be populated by executing the search manually over a sufficient range of time. Subsequent searches should be limited to the schedule window. I.e. For an hourly search, set earliest=-1h@h latest=@h. Be sure to account for input lag and adjust scheduling as needed.

View solution in original post

tscroggins · ‎02-20-2021

@fdevera

A typical recurring lookup generator would append to the existing lookup:

The initial lookup can be populated by executing the search manually over a sufficient range of time. Subsequent searches should be limited to the schedule window. I.e. For an hourly search, set earliest=-1h@h latest=@h. Be sure to account for input lag and adjust scheduling as needed.

Best way to dump Azure UPNs into scheduled lookup.

lookup

other

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor