Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Creating a table combining common field from index and lookup?

weetabixsplunk
Explorer
‎03-03-2023 12:35 PM
 
Labels (3)
Labels
0 Karma
Reply

yuanliu
SplunkTrust
SplunkTrust
‎03-04-2023 01:05 AM

For any of the proposed search to work, SubjectUserName in wineventlog must be an exact match of distinguishedName in adusers.  Given aduser is based on Active Directory and that you are expecting LDAP-like format in distinguishedName, I highly doubt the two fields can match exactly.

You are probably expecting SubjectUserName to match CN in DN, instead of matching DN itself.  If this is the case, you cannot use simple lookup unless you can and are willing to modify aduser table.  If modifying the table is not an option, you have to use inputlookup.  This also means that the search is not going to perform too well if aduser is large.  But you can try something like this.

index=wineventlog EventCode IN (4720, 4726, 4738, 4724)
| join SubjectUserName 
    [| inputlookup adusers
    | rename distinguishedName as _raw
    | kv kvdelim="=", pairdelim=","
    | where OU == "Information Technology"
    | rename CN as SubjectUserName
    ]
0 Karma
Reply

aoverfield
Explorer
‎03-03-2023 01:10 PM

You seem to be close. You have to add the fields from the lookup you want to be added to the search results. You are also trying to search on "distinguishedName" which is the field from the lookup, not the field that will be in your results from the indexed data. Try:

index=wineventlog (EventCode=4720 OR EventCode=4726 OR EventCode=4738 OR EventCode=4724)
| lookup adusers distinguishedName AS SubjectUserName OUTPUT title as title
| search title="*help desk*" OR title="*Computer Technician*" OR title="*IT specialist*" OR title="*support*"
| search SubjectUserName="*OU=Information Technology*"
| table SubjectUserName user EventCode _time title

Also, since "SubjectUserName" is in the initial indexed data, you can add that to the beginning of the search to filter the initial dataset down even further. I noticed a dedup by user in your original post, so we can also write a stats command which will essentially combine the dedup and the table command to give you clean results.

Updated:

index=wineventlog (EventCode=4720 OR EventCode=4726 OR EventCode=4738 OR EventCode=4724) SubjectUserName="*OU=Information Technology*"
| lookup adusers distinguishedName AS SubjectUserName OUTPUT title as title
| search title="*help desk*" OR title="*Computer Technician*" OR title="*IT specialist*" OR title="*support*"
| stats values(SubjectUserName) as SubjectUserName, values(EventCode) as event_codes, values(title) as title, earliest(_time) as first_time, latest(_time) as last_time, count by user

  

0 Karma
Reply

weetabixsplunk
Explorer
‎03-03-2023 01:21 PM

Thank you. I tried them both and I don't get any results. I know for a fact there's events for wineventlog under those eventcodes.

Additonally, howcome title is the field chosen for output.

I appreciate your help ❤️

0 Karma
Reply
Get Updates on the Splunk Community!

Updated Team Landing Page in Splunk Observability

We’re making some changes to the team landing page in Splunk Observability, based on your feedback. The ...

New! Splunk Observability Search Enhancements for Splunk APM Services/Traces and ...

Regardless of where you are in Splunk Observability, you can search for relevant APM targets including service ...

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...