Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to edit my search to display users from my Windows logs that are not found in a lookup table?

kaskirana01
New Member
‎07-19-2016 04:57 AM

Hi,

I have my Windows logs with all users and I have a lookup which has few user names. I need to display the users which are not in the lookup table. Similar searches of mine works for all the cases, but in this case, it's giving a list of all users which are there in my Windows logs without doing the NOT.

My search is:

index=windows EventID=4624 OR EventID=540 OR EventID=528 |rex field=Username "\\\\(?.+)"
|search NOT [|inputlookup trusted_users.csv|table names|rename names as user]
|eval c_time=strftime(_time,"%m/%d/%y %H:%M:%S")
|stats values(users) by host

Someone please point out the error.
Thanks,
Kirana

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

tormodbp
Path Finder
‎07-19-2016 06:04 AM

Hi,

You provide too little information for me to be sure to create a working solution for you, but I can give som feedback based on how I interpret the information supplied in the question.

If you want to filter out events that does not include the usernames you could use a query like this:

 index=windows EventID=4624 OR EventID=540 OR EventID=528  NOT [|inputlookup trusted_users.csv| fields + names]

The above inputlookup returns a list of the content of names-field, while the NOT notation would exclude all events containing one or more of the values in the names-field. The search assumes that the trusted users in the CSV-file are in the field names.

A possible implementation in your query would be something like this:

 index=windows EventID=4624 OR EventID=540 OR EventID=528 NOT [|inputlookup trusted_users.csv | fields + names]
 |eval c_time=strftime(_time,"%m/%d/%y %H:%M:%S")
 |stats values(user) by host

The search assumes that the trusted users in the CSV-file are in the field names.

Hope this helps!

Cheers,

View solution in original post

0 Karma
Reply
Solved! Jump to solution

splunkton
Path Finder
‎07-19-2016 06:40 AM

[|inputlookup trusted_users.csv|table names|rename names as user]

replace the names in the table statement with user 🙂

0 Karma
Reply
Solved! Jump to solution

kaskirana01
New Member
‎07-19-2016 07:13 AM

This is also not working

0 Karma
Reply
Solved! Jump to solution
Solution

tormodbp
Path Finder
‎07-19-2016 06:04 AM

Hi,

You provide too little information for me to be sure to create a working solution for you, but I can give som feedback based on how I interpret the information supplied in the question.

If you want to filter out events that does not include the usernames you could use a query like this:

 index=windows EventID=4624 OR EventID=540 OR EventID=528  NOT [|inputlookup trusted_users.csv| fields + names]

The above inputlookup returns a list of the content of names-field, while the NOT notation would exclude all events containing one or more of the values in the names-field. The search assumes that the trusted users in the CSV-file are in the field names.

A possible implementation in your query would be something like this:

 index=windows EventID=4624 OR EventID=540 OR EventID=528 NOT [|inputlookup trusted_users.csv | fields + names]
 |eval c_time=strftime(_time,"%m/%d/%y %H:%M:%S")
 |stats values(user) by host

The search assumes that the trusted users in the CSV-file are in the field names.

Hope this helps!

Cheers,

0 Karma
Reply
Solved! Jump to solution

kaskirana01
New Member
‎07-19-2016 06:17 AM

Hi,
The above query did not work.
I will explain the scenario.

1.I have my windows logs which has standard users and non standard users logged into the machine
2. I have to extract the users properly first since it is combined with host name. So I used rex command first.
3. Now I have a lookup table trusted_users.csv which has all the trusted users.

My result should contain all the users who are non standard users. i.e, the list of users who are not mentioned in the lookup table.

Can you please see now,

Thanks

0 Karma
Reply
Solved! Jump to solution

tormodbp
Path Finder
‎07-19-2016 06:33 AM

Do you successfully extracted field for the user? Personally i have used "Field extraction" to extract all the important fields for my Windows logs. In theory the inputlookup will try to match any field.

I forgot to remove a word in the query. Please re-run the last query in my answer. You can also remove the eval and stats so that you can be sure that those are not causing the problem.

0 Karma
Reply
Solved! Jump to solution

kaskirana01
New Member
‎07-19-2016 06:45 AM

Hi,
I have successfully extracted the field. But after the lookup, instead of displaying only the remaining users, the command is displaying all the users. 😞

0 Karma
Reply
Solved! Jump to solution

sundareshr
Legend
‎07-19-2016 05:42 AM

Fieldname does not match. You have 3 instances where you use the user field.

1) rex command, I assume, its user
2)inputlookup, itsuser
3)statsitsusers`

0 Karma
Reply
Solved! Jump to solution

kaskirana01
New Member
‎07-19-2016 05:50 AM

Yes. I have extracted the user using rex and comparing that user with the name field in trusted users.csv. In the stats(user) I am displaying it

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...