Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to get Wildcards and Special Characters on lookup table?

rororspec
Explorer
‎03-02-2018 06:46 AM

I'm posting this as everything I have been referencing is from years ago.

I need to relate Users to GPO changes. The problem is that the GPO's EventCode=5136 only reports the distinguishedName (DN). So I exported a GPO_GUID_displayName.csv file with the following formats.

GUID,displayName
"CN={XXXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX}CN=Policies,CN=System,DC=xx,DC=xx,DC=xxx,DC=com",Windows 10
CN={XXXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX}*,Default Domain Policy
CN={XXXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX}CN=Policies,CN=System,DC=xx,DC=xx,DC=xxx,DC=com,DefaultDomainPolicy2

my search look like this
index="wineventlog" Class=groupPolicyContainer GUID="CN={XXXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX}" OR GUID="CN={XXXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX}" source="WinEventLog:Security"
| stats count by user,GUID,_time
| lookup GPO_GUID_displayName.csv GUID output displayName
| rename _time as Date
| convert timeformat=%F ctime(Date)
| table Date,user,GUID,displayName

I get everything as expected but the mythical displayName that no matter what format I use seems to always be blank. I figured that the comas on the csv for the FQDN its messing up the file which is that I'm trying to make the wildcard work with the lookup or even if the quotation would. I have looked into this whole transforms thing from past post but I simply don't get it and I'm not totally sure how to access the file as I do everything thru the web GUI. any help its appreciated.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

rororspec
Explorer
‎03-08-2018 04:28 PM

Upon a deeper look into my csv file I noticed a formatting difference. My csv was an export of another table generated from my index=msda. I made the table with displayName and distinguishedName. The distinguishedName field has an extra comma. That my Splunk friends solve it. So moral of the story is make sure there are not format errors and the data to match. I was able to spot it by making a smaller sample to test the output. Hope this helps and apologize for the confusion.

View solution in original post

Reply
Get Updates on the Splunk Community!

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Elevating Digital Service Excellence: The Synergy of Real User Monitoring and Application Performance ...