Splunk Search

Can you do Splunk Input with cv2?

judges88
Explorer

Thanks in Advance, 

I have a search setup to see whenever someone access's a certain document. This works just fine, the issue comes with the results. Looking at the Extracted Fields, i get the users "Sid" instead of their username. I do however have Splunk Supporting Add-On for Active Directory, and have it configured. I have a report that pulls a CSV (users.csv) that gives me everyones sAMAccountName as well as their SIDs' and puts it in the location of my Lookup Table. 

Trying to figure out how to get the |inputlookup     to compair the search results Sid with my excel doc and give me the AccountName in that specific Row as well. Any help?

 

I have this ( minus the output to create my users.csv)

|ldapsearch search="(&(objectclass=user)(!(objectClass=computer)))" attrs="userAccountControl,sAMAccountName,objectSid,displayName,givenName,sn,mail,telephoneNumber,mobile,manager,department,whenCreated,accountExpires"
|makemv userAccountControl
|search userAccountControl="NORMAL_ACCOUNT"
|eval suffix=""
|eval endDate=""
|table sAMAccountName,objectSid,displayName,givenName,sn,whenCreated,

 

and my main search

source="WinEventLog:Microsoft-Windows-AppLocker/EXE and DLL" NOT %SYSTEM32*

 

Just need a input to get my results Sid to look at the Excel find the SID in the "objectSid" ( column B ) and give me the sAMAccountName(columnA) into my search results...

 

IF POSSIBLE!

Labels (1)
0 Karma
1 Solution

judges88
Explorer

So i was able to figure it out after a few hours.... dont judge haha.... It was because my CSV with the info in it field was titled "objectSid" but the original output of the search field was just "sid" so as soon as i renamed the "sid" to match the csv "objectSid" in my lookup it worked right away....

 

search here* | rename "Sid" as "objectSid" | lookup users1.csv objectSid OUTPUTNEW sAMAccountName | table Message, sAMAccountName

View solution in original post

0 Karma

judges88
Explorer

So i was able to figure it out after a few hours.... dont judge haha.... It was because my CSV with the info in it field was titled "objectSid" but the original output of the search field was just "sid" so as soon as i renamed the "sid" to match the csv "objectSid" in my lookup it worked right away....

 

search here* | rename "Sid" as "objectSid" | lookup users1.csv objectSid OUTPUTNEW sAMAccountName | table Message, sAMAccountName

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

You can also do the "rename" as part of the lookup

search here* | lookup users1.csv objectSid AS Sid OUTPUTNEW sAMAccountName | table Message, sAMAccountName
0 Karma

judges88
Explorer

@ITWhisperer 

thatll make the search look better for sure. Thanks!

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

Have you tried using the lookup command?

lookup - Splunk Documentation

0 Karma

judges88
Explorer

@ITWhisperer 

I did try and did read i just feel i may not be smart enough to understand this. I never needed to use this before so its all kinda new. Ill take a look at the docs again. 

0 Karma
Get Updates on the Splunk Community!

Splunk Forwarders and Forced Time Based Load Balancing

Splunk customers use universal forwarders to collect and send data to Splunk. A universal forwarder can send ...

NEW! Log Views in Splunk Observability Dashboards Gives Context From a Single Page

Today, Splunk Observability releases log views, a new feature for users to add their logs data from Splunk Log ...

Last Chance to Submit Your Paper For BSides Splunk - Deadline is August 12th!

Hello everyone! Don't wait to submit - The deadline is August 12th! We have truly missed the community so ...