- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: Can you do Splunk Input with cv2?
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks in Advance,
I have a search setup to see whenever someone access's a certain document. This works just fine, the issue comes with the results. Looking at the Extracted Fields, i get the users "Sid" instead of their username. I do however have Splunk Supporting Add-On for Active Directory, and have it configured. I have a report that pulls a CSV (users.csv) that gives me everyones sAMAccountName as well as their SIDs' and puts it in the location of my Lookup Table.
Trying to figure out how to get the |inputlookup to compair the search results Sid with my excel doc and give me the AccountName in that specific Row as well. Any help?
I have this ( minus the output to create my users.csv)
|ldapsearch search="(&(objectclass=user)(!(objectClass=computer)))" attrs="userAccountControl,sAMAccountName,objectSid,displayName,givenName,sn,mail,telephoneNumber,mobile,manager,department,whenCreated,accountExpires"
|makemv userAccountControl
|search userAccountControl="NORMAL_ACCOUNT"
|eval suffix=""
|eval endDate=""
|table sAMAccountName,objectSid,displayName,givenName,sn,whenCreated,
and my main search
source="WinEventLog:Microsoft-Windows-AppLocker/EXE and DLL" NOT %SYSTEM32*
Just need a input to get my results Sid to look at the Excel find the SID in the "objectSid" ( column B ) and give me the sAMAccountName(columnA) into my search results...
IF POSSIBLE!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
So i was able to figure it out after a few hours.... dont judge haha.... It was because my CSV with the info in it field was titled "objectSid" but the original output of the search field was just "sid" so as soon as i renamed the "sid" to match the csv "objectSid" in my lookup it worked right away....
search here* | rename "Sid" as "objectSid" | lookup users1.csv objectSid OUTPUTNEW sAMAccountName | table Message, sAMAccountName
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
So i was able to figure it out after a few hours.... dont judge haha.... It was because my CSV with the info in it field was titled "objectSid" but the original output of the search field was just "sid" so as soon as i renamed the "sid" to match the csv "objectSid" in my lookup it worked right away....
search here* | rename "Sid" as "objectSid" | lookup users1.csv objectSid OUTPUTNEW sAMAccountName | table Message, sAMAccountName
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You can also do the "rename" as part of the lookup
search here* | lookup users1.csv objectSid AS Sid OUTPUTNEW sAMAccountName | table Message, sAMAccountName- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
thatll make the search look better for sure. Thanks!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Have you tried using the lookup command?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I did try and did read i just feel i may not be smart enough to understand this. I never needed to use this before so its all kinda new. Ill take a look at the docs again.
Enterprise Security Content Update (ESCU) | New Releases
Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?
Index This | What are the 12 Days of Splunk-mas?
