- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How come our INPUTLOOKUP is returning no results?
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How come our INPUTLOOKUP is returning no results?
I'm trying to get this use case going from MS Windows AD Objects, but I can't get any results.
index=wineventlog source=WinEventLog:Security [|inputlookup AD_Audit_Change_EventCodes WHERE change_category="User"]
I have a deployment server on prem and a Splunk Cloud instance.
Where should I go to troubleshoot? The lookup definition is present in settings as is the lookup file (in the Cloud.) I even tried creating a stanza in transforms.conf on the deployment server in the \Program Files\Splunk\etc\deployment-apps\Splunk_TA_microsoft_ad\local directory.
**####### Windows Security Event Log ######
Lookups
[AD_Audit_Change_EventCodes]
filename = ms_ad_obj_change_eventcodes.csv**
What am I missing here? Thanks!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi I am having the same issue. Were you able to get this search working? Particularly the macro that is not working is called ms_ad_obj_all_changes_base from "MS Windows AD Objects" app. The search is "eventtype=ms_ad_obj_wineventlog_security [|inputlookup AD_Audit_Change_EventCodes | stats values(EventCode) AS EventCode by obj_type | format | table search] src_user_type="user" | search NOT(EventCode=4723 AND src_user!=user)". When ran separately "|inputlookup AD_Audit_Change_EventCodes | stats values(EventCode) AS EventCode by obj_type | format | table search" or "eventtype=ms_ad_obj_wineventlog_security" I get results but when put together I get no results. I have checked macro, file and definition permissions all look intact. Also tried separating everything from each other in the search no luck. Thank you for any help in this.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Whenever you are debugging a search, break it down.
Does this return events?
|inputlookup AD_Audit_Change_EventCodes
If so, then does this return events (not that I added a pipe ( | ) before your WHERE and I switched to search instead (I always use search when the Right-Hand-Side value is a string constant)?
|inputlookup AD_Audit_Change_EventCodes | search change_category="User"
If so, then use format to see what search string is generated; does it look like what you need?
|inputlookup AD_Audit_Change_EventCodes | search change_category="User" | format
You should be good-to-go.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Use
index=wineventlog source=WinEventLog:Security [|inputlookup AD_Audit_Change_EventCodes| WHERE change_category="User"]
Thanks.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi sbgoldberg13,
I reckon it is permission related, make sure to configure the permission so the lookup is globally available - see the docs for more details https://docs.splunk.com/Documentation/Splunk/latest/Admin/Apparchitectureandobjectownership
Hope this helps ...
cheers, MuS
Introducing the 2024 SplunkTrust!
Introducing the 2024 Splunk MVPs!
Splunk Custom Visualizations App End of Life
