Re: Filter Events based on lookup file contents

adalbor · ‎04-27-2020

Hey All,

I am attempting to write a search that looks for AD group add/removals for specific groups executed by specific users.
I would like to use a lookup list for the AD group names but am a little unsure the best way to write the search. My results should be any group modifications for any of the groups listed in the lookup not performed by a single account.

This is what I have so far:

index=wineventlog EventCode IN (4728,4729)
| eval SubjectAcct=mvindex(Account_Name,0)
| eval TargetAcct=mvindex(Account_Name,1)
| search SubjectAcct!=ACCT AND Group_Name="GROUP"
| table _time name Group_Name SubjectAcct TargetAcct

adalbor · ‎04-29-2020

This is what finally ended up working for me.

index=wineventlog EventCode IN (4728,4729)
[inputlookup rbacgroups]
| eval Subject_Acct=mvindex(Account_Name,0)
| eval Target_Acct=mvindex(Account_Name,1)
| search Subject_Acct!=ACCT
| table _time Group_Name Subject_Acct Target_Acct

adalbor · ‎05-05-2020

This was working with one entry in the lookup file but not that I have multiple entries my search returns no results. Why is it so difficult in splunk to have one field searched against with the contents of a lookup file? It almost seems easier just to make a massive search string at some point.

to4kawa · ‎04-27-2020

index=wineventlog EventCode IN (4728,4729)
| eval SubjectAcct=mvindex(Account_Name,0)
| eval TargetAcct=mvindex(Account_Name,1)
| lookup yourADgroup Group_Name OUTPUT Group_Name as result
| where isnotnull(result) AND SubjectAcct!="ACCT"
| table _time name Group_Name SubjectAcct TargetAcct

or

index=wineventlog EventCode IN (4728,4729)
| eval SubjectAcct=mvindex(Account_Name,0)
| eval TargetAcct=mvindex(Account_Name,1)
| join Group_Name [|inputlookup yourADgroup]
| search SubjectAcct!="ACCT"
| table _time name Group_Name SubjectAcct TargetAcct

adalbor · ‎04-28-2020

Hey @to4kawa,

Thanks for the assistance, I don't quite think I have it right still.

I want to match events that meet all the conditions including Group_Name matching a group name in the lookup list.

Lookup list name: RBACGROUPS
Column Name: GROUP
Field to search against: Group_Name

adalbor · ‎04-29-2020

I have tried creating .csv's three different ways for my lookup list and all still end up generating the error:
Error in 'lookup' command: Could not find all of the specified destination fields in the lookup table.

I have created in Excel, notepad ++, and vi.

Its a simple lookup file with one column header and two entries.

GROUP
"Test Group 1",
"Test Group 2"

to4kawa · ‎04-29-2020

https://answers.splunk.com/answers/497853/my-lookup-in-a-macro-works-in-a-search-but-why-doe.html

I don't know your query. maybe, lookup is wrong.

adalbor · ‎04-29-2020

I tried both of your example queries and the join query doesn't return any results and the lookup query gives the error.

This should be much easier than this to match events based on lookup values.

to4kawa · ‎04-29-2020

My queries won't budge unless you fix them.
because yourADgroup is nothing.

Filter Events based on lookup file contents

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Announcing Modern Navigation: A New Era of Splunk User Experience

Observability Simplified: Combining User Experience, Application Performance & ...

Event Series May & June: From Network Visibility to Service Intelligence

Join the Conversation