Splunk Search

How to subsearch with JOIN with multiples fields?

New Member

I'm trying to build a search that returns the changes that were made to the GPO.

For this, I have my main search that looks for EventCode 4662, 5137, 5136, 5141 that are related to changes in the GPO, but do not bring what the change was specifically.

I have another index (AD AUDIT) that logs all changes.

I'm trying to use join, but I can't get the changes to return. Changes have more than one field for each GPO_GUID.

My search looks like this:

index=win (EventCode=4662 ObjectType=groupPolicyContainer) OR (EventCode=5137 ObjectClass=groupPolicyContainer) OR (EventCode=5136 ObjectClass=groupPolicyContainer) OR (EventCode=5141 ObjectClass=groupPolicyContainer Tree_Delete=yes) 
| rex field=ObjectName "(?i)CN=(?<gpo_guid>{.*?})"
| rex field=ObjectDN "(?i)CN=(?<gpo_guid>{.*?})"
| join type=left gpo_guid
[ search index=summary objectClass=groupPolicyContainer earliest=-24h@h latest=now()
| stats count by cn, displayName
| fields + cn, displayName
| rename cn as gpo_guid ]
| eval action=case(EventCode=5137, "CREATED", EventCode=5136, "MODIFIED", EventCode=5141, "DELETED")
| table action, src_user, displayName, gpo_guid, ObjectGUID
| rename ObjectGUID as ADDITIONAL_INFO
| join max=0 type=left ADDITIONAL_INFO
[ search index=audit


Is my search correct?

For the join to run successfully I need the search field 1 to be the same as the search field 2, correct?

If the changes in GPOs are multiple, how can I get these results?


Labels (2)
Tags (2)
0 Karma
Get Updates on the Splunk Community!

Registration for Splunk University is Now Open!

Are you ready for an adventure in learning?   Brace yourselves because Splunk University is back, and it's ...

Splunkbase | Splunk Dashboard Examples App for SimpleXML End of Life

The Splunk Dashboard Examples App for SimpleXML will reach end of support on Dec 19, 2024, after which no new ...

Understanding Generative AI Techniques and Their Application in Cybersecurity

Watch On-Demand Artificial intelligence is the talk of the town nowadays, with industries of all kinds ...