Splunk Search

Can you do Splunk Input with cv2?

judges88
Explorer

Thanks in Advance, 

I have a search setup to see whenever someone access's a certain document. This works just fine, the issue comes with the results. Looking at the Extracted Fields, i get the users "Sid" instead of their username. I do however have Splunk Supporting Add-On for Active Directory, and have it configured. I have a report that pulls a CSV (users.csv) that gives me everyones sAMAccountName as well as their SIDs' and puts it in the location of my Lookup Table. 

Trying to figure out how to get the |inputlookup     to compair the search results Sid with my excel doc and give me the AccountName in that specific Row as well. Any help?

 

I have this ( minus the output to create my users.csv)

|ldapsearch search="(&(objectclass=user)(!(objectClass=computer)))" attrs="userAccountControl,sAMAccountName,objectSid,displayName,givenName,sn,mail,telephoneNumber,mobile,manager,department,whenCreated,accountExpires"
|makemv userAccountControl
|search userAccountControl="NORMAL_ACCOUNT"
|eval suffix=""
|eval endDate=""
|table sAMAccountName,objectSid,displayName,givenName,sn,whenCreated,

 

and my main search

source="WinEventLog:Microsoft-Windows-AppLocker/EXE and DLL" NOT %SYSTEM32*

 

Just need a input to get my results Sid to look at the Excel find the SID in the "objectSid" ( column B ) and give me the sAMAccountName(columnA) into my search results...

 

IF POSSIBLE!

Labels (1)
0 Karma
1 Solution

judges88
Explorer

So i was able to figure it out after a few hours.... dont judge haha.... It was because my CSV with the info in it field was titled "objectSid" but the original output of the search field was just "sid" so as soon as i renamed the "sid" to match the csv "objectSid" in my lookup it worked right away....

 

search here* | rename "Sid" as "objectSid" | lookup users1.csv objectSid OUTPUTNEW sAMAccountName | table Message, sAMAccountName

View solution in original post

0 Karma

judges88
Explorer

So i was able to figure it out after a few hours.... dont judge haha.... It was because my CSV with the info in it field was titled "objectSid" but the original output of the search field was just "sid" so as soon as i renamed the "sid" to match the csv "objectSid" in my lookup it worked right away....

 

search here* | rename "Sid" as "objectSid" | lookup users1.csv objectSid OUTPUTNEW sAMAccountName | table Message, sAMAccountName

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

You can also do the "rename" as part of the lookup

search here* | lookup users1.csv objectSid AS Sid OUTPUTNEW sAMAccountName | table Message, sAMAccountName
0 Karma

judges88
Explorer

@ITWhisperer 

thatll make the search look better for sure. Thanks!

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

Have you tried using the lookup command?

lookup - Splunk Documentation

0 Karma

judges88
Explorer

@ITWhisperer 

I did try and did read i just feel i may not be smart enough to understand this. I never needed to use this before so its all kinda new. Ill take a look at the docs again. 

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...