Solved: Best way to dump Azure UPNs into scheduled lookup.

fdevera · ‎02-16-2021

I'm trying to dump this info into a scheduled lookup but these are just azuread UPNs that are appearing in the logs for whatever search time it's set to. How do I efficiently get ALL UPNs that are in this rex format regardless of log time?

index=azuread
| rex field=initiatedBy.user.userPrincipalName "ex(?<GUID>\d+)z\@"
| search GUID=*
| dedup initiatedBy.user.userPrincipalName
| table initiatedBy.user.userPrincipalName, GUID
| outputlookup zguids.csv

tscroggins · ‎02-20-2021

@fdevera

A typical recurring lookup generator would append to the existing lookup:

The initial lookup can be populated by executing the search manually over a sufficient range of time. Subsequent searches should be limited to the schedule window. I.e. For an hourly search, set earliest=-1h@h latest=@h. Be sure to account for input lag and adjust scheduling as needed.

View solution in original post

tscroggins · ‎02-20-2021

@fdevera

A typical recurring lookup generator would append to the existing lookup:

The initial lookup can be populated by executing the search manually over a sufficient range of time. Subsequent searches should be limited to the schedule window. I.e. For an hourly search, set earliest=-1h@h latest=@h. Be sure to account for input lag and adjust scheduling as needed.

Best way to dump Azure UPNs into scheduled lookup.

lookup

other

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!