Splunk Search

How come our INPUTLOOKUP is returning no results?

Engager

I'm trying to get this use case going from MS Windows AD Objects, but I can't get any results.

index=wineventlog source=WinEventLog:Security [|inputlookup AD_Audit_Change_EventCodes WHERE change_category="User"]

I have a deployment server on prem and a Splunk Cloud instance.

Where should I go to troubleshoot? The lookup definition is present in settings as is the lookup file (in the Cloud.) I even tried creating a stanza in transforms.conf on the deployment server in the \Program Files\Splunk\etc\deployment-apps\Splunk_TA_microsoft_ad\local directory.

**####### Windows Security Event Log ######

Lookups

[AD_Audit_Change_EventCodes]
filename = ms_ad_obj_change_eventcodes.csv**

What am I missing here? Thanks!

0 Karma

Path Finder

Hi I am having the same issue. Were you able to get this search working? Particularly the macro that is not working is called ms_ad_obj_all_changes_base from "MS Windows AD Objects" app. The search is "eventtype=ms_ad_obj_wineventlog_security [|inputlookup AD_Audit_Change_EventCodes | stats values(EventCode) AS EventCode by obj_type | format | table search] src_user_type="user" | search NOT(EventCode=4723 AND src_user!=user)". When ran separately "|inputlookup AD_Audit_Change_EventCodes | stats values(EventCode) AS EventCode by obj_type | format | table search" or "eventtype=ms_ad_obj_wineventlog_security" I get results but when put together I get no results. I have checked macro, file and definition permissions all look intact. Also tried separating everything from each other in the search no luck. Thank you for any help in this.

0 Karma

Esteemed Legend

Whenever you are debugging a search, break it down.
Does this return events?

|inputlookup AD_Audit_Change_EventCodes

If so, then does this return events (not that I added a pipe ( | ) before your WHERE and I switched to search instead (I always use search when the Right-Hand-Side value is a string constant)?

|inputlookup AD_Audit_Change_EventCodes | search change_category="User"

If so, then use format to see what search string is generated; does it look like what you need?

|inputlookup AD_Audit_Change_EventCodes | search change_category="User" | format

You should be good-to-go.

0 Karma

New Member

Use

index=wineventlog source=WinEventLog:Security [|inputlookup AD_Audit_Change_EventCodes| WHERE change_category="User"]

Thanks.

0 Karma

SplunkTrust
SplunkTrust

Hi sbgoldberg13,

I reckon it is permission related, make sure to configure the permission so the lookup is globally available - see the docs for more details https://docs.splunk.com/Documentation/Splunk/latest/Admin/Apparchitectureandobjectownership

Hope this helps ...

cheers, MuS

0 Karma