Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Filter Events based on lookup file contents

adalbor
Builder
‎04-27-2020 12:27 PM

Hey All,

I am attempting to write a search that looks for AD group add/removals for specific groups executed by specific users.
I would like to use a lookup list for the AD group names but am a little unsure the best way to write the search. My results should be any group modifications for any of the groups listed in the lookup not performed by a single account.

This is what I have so far:

index=wineventlog EventCode IN (4728,4729)
| eval SubjectAcct=mvindex(Account_Name,0)
| eval TargetAcct=mvindex(Account_Name,1)
| search SubjectAcct!=ACCT AND Group_Name="GROUP"
| table _time name Group_Name SubjectAcct TargetAcct

0 Karma
Reply

adalbor
Builder
‎04-29-2020 12:47 PM

This is what finally ended up working for me.

index=wineventlog EventCode IN (4728,4729)
[inputlookup rbacgroups]
| eval Subject_Acct=mvindex(Account_Name,0)
| eval Target_Acct=mvindex(Account_Name,1)
| search Subject_Acct!=ACCT
| table _time Group_Name Subject_Acct Target_Acct

0 Karma
Reply

adalbor
Builder
‎05-05-2020 10:21 AM

This was working with one entry in the lookup file but not that I have multiple entries my search returns no results. Why is it so difficult in splunk to have one field searched against with the contents of a lookup file? It almost seems easier just to make a massive search string at some point.

0 Karma
Reply

to4kawa
Ultra Champion
‎04-27-2020 05:01 PM 
index=wineventlog EventCode IN (4728,4729)
| eval SubjectAcct=mvindex(Account_Name,0)
| eval TargetAcct=mvindex(Account_Name,1)
| lookup yourADgroup Group_Name OUTPUT Group_Name as result
| where isnotnull(result) AND SubjectAcct!="ACCT"
| table _time name Group_Name SubjectAcct TargetAcct

or 

index=wineventlog EventCode IN (4728,4729)
| eval SubjectAcct=mvindex(Account_Name,0)
| eval TargetAcct=mvindex(Account_Name,1)
| join Group_Name [|inputlookup yourADgroup]
| search SubjectAcct!="ACCT"
| table _time name Group_Name SubjectAcct TargetAcct
0 Karma
Reply

adalbor
Builder
‎04-28-2020 07:47 AM

Hey @to4kawa,

Thanks for the assistance, I don't quite think I have it right still.

I want to match events that meet all the conditions including Group_Name matching a group name in the lookup list.

Lookup list name: RBACGROUPS
Column Name: GROUP
Field to search against: Group_Name

0 Karma
Reply

adalbor
Builder
‎04-29-2020 07:56 AM

I have tried creating .csv's three different ways for my lookup list and all still end up generating the error:
Error in 'lookup' command: Could not find all of the specified destination fields in the lookup table.

I have created in Excel, notepad ++, and vi.

Its a simple lookup file with one column header and two entries.

GROUP
"Test Group 1",
"Test Group 2"

0 Karma
Reply

to4kawa
Ultra Champion
‎04-29-2020 11:19 AM

https://answers.splunk.com/answers/497853/my-lookup-in-a-macro-works-in-a-search-but-why-doe.html

I don't know your query. maybe, lookup is wrong.

0 Karma
Reply

adalbor
Builder
‎04-29-2020 11:41 AM

I tried both of your example queries and the join query doesn't return any results and the lookup query gives the error.

This should be much easier than this to match events based on lookup values.

0 Karma
Reply

to4kawa
Ultra Champion
‎04-29-2020 11:48 AM

My queries won't budge unless you fix them.
because yourADgroup is nothing.

0 Karma
Reply
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...