Splunk Search

Filter Events based on lookup file contents

Builder

Hey All,

I am attempting to write a search that looks for AD group add/removals for specific groups executed by specific users.
I would like to use a lookup list for the AD group names but am a little unsure the best way to write the search. My results should be any group modifications for any of the groups listed in the lookup not performed by a single account.

This is what I have so far:

index=wineventlog EventCode IN (4728,4729)
| eval SubjectAcct=mvindex(Account_Name,0)
| eval TargetAcct=mvindex(Account_Name,1)
| search SubjectAcct!=ACCT AND Group_Name="GROUP"
| table _time name Group_Name SubjectAcct TargetAcct

0 Karma

Builder

This is what finally ended up working for me.

index=wineventlog EventCode IN (4728,4729)
[inputlookup rbacgroups]
| eval Subject_Acct=mvindex(Account_Name,0)
| eval Target_Acct=mvindex(Account_Name,1)
| search Subject_Acct!=ACCT
| table _time Group_Name Subject_Acct Target_Acct

0 Karma

Builder

This was working with one entry in the lookup file but not that I have multiple entries my search returns no results. Why is it so difficult in splunk to have one field searched against with the contents of a lookup file? It almost seems easier just to make a massive search string at some point.

0 Karma

SplunkTrust
SplunkTrust
index=wineventlog EventCode IN (4728,4729)
| eval SubjectAcct=mvindex(Account_Name,0)
| eval TargetAcct=mvindex(Account_Name,1)
| lookup yourADgroup Group_Name OUTPUT Group_Name as result
| where isnotnull(result) AND SubjectAcct!="ACCT"
| table _time name Group_Name SubjectAcct TargetAcct

or

index=wineventlog EventCode IN (4728,4729)
| eval SubjectAcct=mvindex(Account_Name,0)
| eval TargetAcct=mvindex(Account_Name,1)
| join Group_Name [|inputlookup yourADgroup]
| search SubjectAcct!="ACCT"
| table _time name Group_Name SubjectAcct TargetAcct
0 Karma

Builder

Hey @to4kawa,

Thanks for the assistance, I don't quite think I have it right still.

I want to match events that meet all the conditions including Group_Name matching a group name in the lookup list.

Lookup list name: RBACGROUPS
Column Name: GROUP
Field to search against: Group_Name

0 Karma

Builder

I have tried creating .csv's three different ways for my lookup list and all still end up generating the error:
Error in 'lookup' command: Could not find all of the specified destination fields in the lookup table.

I have created in Excel, notepad ++, and vi.

Its a simple lookup file with one column header and two entries.

GROUP
"Test Group 1",
"Test Group 2"

0 Karma

SplunkTrust
SplunkTrust
0 Karma

Builder

I tried both of your example queries and the join query doesn't return any results and the lookup query gives the error.

This should be much easier than this to match events based on lookup values.

0 Karma

SplunkTrust
SplunkTrust

My queries won't budge unless you fix them.
because yourADgroup is nothing.

0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!