I'm trying to get this use case going from MS Windows AD Objects, but I can't get any results.
index=wineventlog source=WinEventLog:Security [|inputlookup AD_Audit_Change_EventCodes WHERE change_category="User"]
I have a deployment server on prem and a Splunk Cloud instance.
Where should I go to troubleshoot? The lookup definition is present in settings as is the lookup file (in the Cloud.) I even tried creating a stanza in transforms.conf on the deployment server in the \Program Files\Splunk\etc\deployment-apps\Splunk_TA_microsoft_ad\local directory.
**####### Windows Security Event Log ######
filename = ms_ad_obj_change_eventcodes.csv**
What am I missing here? Thanks!
Hi I am having the same issue. Were you able to get this search working? Particularly the macro that is not working is called
ms_ad_obj_all_changes_base from "MS Windows AD Objects" app. The search is "eventtype=ms_ad_obj_wineventlog_security [|inputlookup AD_Audit_Change_EventCodes | stats values(EventCode) AS EventCode by obj_type | format | table search] src_user_type="user" | search NOT(EventCode=4723 AND src_user!=user)". When ran separately "|inputlookup AD_Audit_Change_EventCodes | stats values(EventCode) AS EventCode by obj_type | format | table search" or "eventtype=ms_ad_obj_wineventlog_security" I get results but when put together I get no results. I have checked macro, file and definition permissions all look intact. Also tried separating everything from each other in the search no luck. Thank you for any help in this.
Whenever you are debugging a search, break it down.
Does this return events?
If so, then does this return events (not that I added a pipe (
| ) before your
WHERE and I switched to
search instead (I always use
search when the Right-Hand-Side value is a string constant)?
|inputlookup AD_Audit_Change_EventCodes | search change_category="User"
If so, then use
format to see what search string is generated; does it look like what you need?
|inputlookup AD_Audit_Change_EventCodes | search change_category="User" | format
You should be good-to-go.
I reckon it is permission related, make sure to configure the permission so the lookup is globally available - see the docs for more details https://docs.splunk.com/Documentation/Splunk/latest/Admin/Apparchitectureandobjectownership
Hope this helps ...