Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How do you pass a case or if statement value to a lookup table search?

doodoodonk
Engager
‎06-04-2018 02:25 PM

Background:

I have having some issues with LDAP Identities that have the same identity name so I was trying to carve out the domain name from the workstation name "e.g., somesystem.domain.whatever.com" --> "domain.whatever.com" and use that newly created value to do a case or if comparison to run one lookup search over another. 

sourcetype=WinEventLog:PowerShell `PS_Command_Filter` `PS_Cmd_Rules` NOT [|inputlookup Powershell_Path_WL.csv | fields Powershell_WL | rename Powershell_WL as Path] |lookup Powershell_Blacklist BlacklistedPS as Command_Line OUTPUT Alert | eval Command_Line=substr(Command_Line,1,100) | rex field=ComputerName "\.(?<Domain>.*)" | table _time, ComputerName, EventCode, Type, Sid, LogName, Path, ScriptBlock_ID, Alert, Command_Line, recipients | where isnotnull(Alert)| eval usrlookup=case(Domain=="somedomain.whatever.com", "ldap_identities_sat", Domain=="someotherdomain.whatever.com", "ldap_identities") |lookup $usrlookup$ sid as Sid OUTPUT identity as user, nick as user_nick, bunit as user_bunit, category as user_category, email as user_email, watchlist as user_watchlist, work_city as user_work_city | makemv delim="|" allowempty=true user_category

Basically I am trying to determine which ldap lookup to use based on the domain comparison from the ComputerName results of regex field Domain. I want to pass the result to the lookup table to use, but I couldn't really find any answer that showed a really good example of how this could be done other than on dashboards as an input token, but I want this as a correlation search to run and alert off of. The ldap lookup would identify the proper user based on the Domain.

Emphasis of what I am trying to do code wise:

| eval usrlookup=case(Domain=="somedomain.whatever.com", "ldap_identities_sat", Domain=="someotherdomain.whatever.com", "ldap_identities") |lookup $usrlookup$ sid as Sid OUTPUT identity as user, nick as user_nick, bunit as user_bunit, category as user_category, email as user_email, watchlist as user_watchlist, work_city as user_work_city
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

elliotproebstel
Champion
‎06-04-2018 07:46 PM

When I've hit a similar issue, my approach was similar to yours, but I couldn't figure out a way to pass the lookup table name as a variable. So instead, I sorted the values I needed to lookup into different variables, based on the if/case statement describing them. In your case, I think that would look like this:

sourcetype=WinEventLog:PowerShell `PS_Command_Filter` `PS_Cmd_Rules` NOT 
[| inputlookup Powershell_Path_WL.csv 
 | fields Powershell_WL 
 | rename Powershell_WL as Path ] 
| lookup Powershell_Blacklist BlacklistedPS as Command_Line OUTPUT Alert | eval Command_Line=substr(Command_Line,1,100) 
| rex field=ComputerName "\.(?<Domain>.*)" 
| table _time, ComputerName, EventCode, Type, Sid, LogName, Path, ScriptBlock_ID, Alert, Command_Line, recipients 
| where isnotnull(Alert)
| eval somedomain_sid=if(Domain=="somedomain.whatever.com", Sid, NULL)
| eval someotherdomain_sid=if(Domain=="someotherdomain.whatever.com", Sid, NULL) 
| lookup ldap_identities_sat sid as somedomain_sid OUTPUT identity as user, nick as user_nick, bunit as user_bunit, category as user_category, email as user_email, watchlist as user_watchlist, work_city as user_work_city 
| lookup ldap_identities sid as someotherdomain_sid OUTPUT identity as user, nick as user_nick, bunit as user_bunit, category as user_category, email as user_email, watchlist as user_watchlist, work_city as user_work_city 
| makemv delim="|" allowempty=true user_category

With this approach, the Sid values are separated into somedomain_sid and someotherdomain_sid based on the Domain value, and then the appropriate lookups are consulted for each.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

elliotproebstel
Champion
‎06-04-2018 07:46 PM

When I've hit a similar issue, my approach was similar to yours, but I couldn't figure out a way to pass the lookup table name as a variable. So instead, I sorted the values I needed to lookup into different variables, based on the if/case statement describing them. In your case, I think that would look like this:

sourcetype=WinEventLog:PowerShell `PS_Command_Filter` `PS_Cmd_Rules` NOT 
[| inputlookup Powershell_Path_WL.csv 
 | fields Powershell_WL 
 | rename Powershell_WL as Path ] 
| lookup Powershell_Blacklist BlacklistedPS as Command_Line OUTPUT Alert | eval Command_Line=substr(Command_Line,1,100) 
| rex field=ComputerName "\.(?<Domain>.*)" 
| table _time, ComputerName, EventCode, Type, Sid, LogName, Path, ScriptBlock_ID, Alert, Command_Line, recipients 
| where isnotnull(Alert)
| eval somedomain_sid=if(Domain=="somedomain.whatever.com", Sid, NULL)
| eval someotherdomain_sid=if(Domain=="someotherdomain.whatever.com", Sid, NULL) 
| lookup ldap_identities_sat sid as somedomain_sid OUTPUT identity as user, nick as user_nick, bunit as user_bunit, category as user_category, email as user_email, watchlist as user_watchlist, work_city as user_work_city 
| lookup ldap_identities sid as someotherdomain_sid OUTPUT identity as user, nick as user_nick, bunit as user_bunit, category as user_category, email as user_email, watchlist as user_watchlist, work_city as user_work_city 
| makemv delim="|" allowempty=true user_category

With this approach, the Sid values are separated into somedomain_sid and someotherdomain_sid based on the Domain value, and then the appropriate lookups are consulted for each.

0 Karma
Reply
Solved! Jump to solution

doodoodonk
Engager
‎06-06-2018 12:50 PM

That worked perfectly. Thanks.

0 Karma
Reply
Solved! Jump to solution

somesoni2
Revered Legend
‎06-04-2018 03:13 PM

One dirty workaround would be like this:

|lookup ldap_identities_sat sid as Sid OUTPUT identity as user, nick as user_nick, bunit as user_bunit, category as user_category, email as user_email, watchlist as user_watchlist, work_city as user_work_city
|lookupldap_identities sid as Sid OUTPUT identity as user#, nick as user_nick#, bunit as user_bunit#, category as user_category#, email as user_email#, watchlist as user_watchlist#, work_city as user_work_city#
| foreach *# [ eval "<<MATCHSTR>>"=case(Domain=="somedomain.whatever.com", '<<MATCHSTR>>', Domain=="someotherdomain.whatever.com", '<<FIELD>>') ]
| fields - *#

Basically run both the lookup but use different output field names from one lookup. The based on domain, use specific field (either output field from lookup 1 or lookup 2)

0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...