Splunk Search

How to get Wildcards and Special Characters on lookup table?

Explorer

I'm posting this as everything I have been referencing is from years ago.

I need to relate Users to GPO changes. The problem is that the GPO's EventCode=5136 only reports the distinguishedName (DN). So I exported a GPOGUIDdisplayName.csv file with the following formats.

GUID,displayName
"CN={XXXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX}CN=Policies,CN=System,DC=xx,DC=xx,DC=xxx,DC=com",Windows 10
CN={XXXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX}*,Default Domain Policy
CN={XXXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX}CN=Policies,CN=System,DC=xx,DC=xx,DC=xxx,DC=com,DefaultDomainPolicy2

my search look like this
index="wineventlog" Class=groupPolicyContainer GUID="CN={XXXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX}" OR GUID="CN={XXXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX}" source="WinEventLog:Security"
| stats count by user,GUID,time
| lookup GPO
GUID_displayName.csv GUID output displayName
| rename _time as Date
| convert timeformat=%F ctime(Date)
| table Date,user,GUID,displayName

I get everything as expected but the mythical displayName that no matter what format I use seems to always be blank. I figured that the comas on the csv for the FQDN its messing up the file which is that I'm trying to make the wildcard work with the lookup or even if the quotation would. I have looked into this whole transforms thing from past post but I simply don't get it and I'm not totally sure how to access the file as I do everything thru the web GUI. any help its appreciated.

0 Karma
1 Solution

Explorer

Upon a deeper look into my csv file I noticed a formatting difference. My csv was an export of another table generated from my index=msda. I made the table with displayName and distinguishedName. The distinguishedName field has an extra comma. That my Splunk friends solve it. So moral of the story is make sure there are not format errors and the data to match. I was able to spot it by making a smaller sample to test the output. Hope this helps and apologize for the confusion.

View solution in original post