Splunk Search

How to use lookup to exclude a list of user_names and service_file_names

Explorer

I am trying to run a search that shows executibles that are run by any user on my network. Yet I want to exclude the search with typically run service .exe's and assocuated service user accounts. I have searched throughout the Splunk website and have done a fair amount of googling on how this can be done but had no success in my search. I have added what I have been trying to achieve below.

Can anyone help me figure out how to achieve this?

*.exe NOT ("Specific-Service-Account") NOT ("Specific-Service-Account1") NOT ("dsmod.exe") NOT $ NOT [| inputlookup ExclusionList.csv | ("User_Name") OR ("Image_File_Name")] | stats count by User_Name, Image_File_Name, host | sort count desc

Tags (1)
0 Karma

Contributor

You can add a flag to your lookup to tell the next part of the pipeline what to do.

e.g.

file.csv:
thing, exclude
some_user,1
other_user,1

Define the lookup as minimum match = 1 and fill unmatched values with 0.

then in your search

event_stream| lookup yourlookup thing | search exclude=0 | do something to what's left

much easier to maintain...

0 Karma

Explorer

Thanks to all of you that gave me some pointers on a direction to go to with addressing my issue. I ended going with something a little less complex in regards to using a table as a lookup for exclusions. Because I was only going to be having 10-15 service accounts and services that I that needed to be excluded, I chose to go with the following:

**.exe NOT ("Specific-Service-Account") NOT ("Specific-Service-Account1") NOT ("dsmod.exe") NOT $ NOT (ServiceAccount OR WHATEVER.exe) NOT (ServiceAccount1 OR WHATEVER1.exe) NOT (ServiceAccount2 OR WHATEVER2.exe) NOT (ServiceAccount3 OR WHATEVER3.exe) | stats count by User_Name, Image_File_Name, host | sort count desc*

0 Karma

Legend

I don't see format there? Anyway, two errors that I can see right away: you're missing a pipe before inputlookup. Also after the first pipe you don't have a command at all? Just something that seems to be meant to be search filters?

Explorer

Ayn:

Original search:

*.exe NOT ("Specific-Service-Account") NOT ("Specific-Service-Account1") NOT ("dsmod.exe") NOT $ NOT [| inputlookup ExclusionList.csv | ("User_Name") OR ("Image_File_Name")] | stats count by User_Name, Image_File_Name, host | sort count desc

Running search as you suggested:

inputlookup ExclusionList.csv | ("User_Name") OR ("Image_File_Name") | stats count by User_Name, Image_File_Name, host | sort count desc

0 Karma

Legend

Show the exact search you're running, please.

Explorer

I tried running the subsearch on its own with the "| format" as you suggested and got the following error.

Error in 'format' command: The ' ' arguments must be specified together or not at all.*

0 Karma

Explorer

Ayn - I probably should have bolded out the search that I was trying to use so that it was a little more clear and stood out. The search that I started out with is mentioned above for you to review, in my original post. Thanks for taking the time to try and help me.

0 Karma

Legend

What does your search look like? And if this problem occurs when you add your subsearch, run the subsearch on its own (without the brackets etc) and add "| format" at the end. This will show you the exact filter string that the subsearch will emit.

Explorer

Thank you both for your suggestions. I tried both and now seem to be getting an "unbalanced quote" error.

0 Karma

Legend

Better yet, don't use the where statement.

<yoursearch> NOT [|inputlookup ExclusionList.csv]

Champion

Could you try this

your search query|where NOT [|inputcsv file.csv]

in file.csv contains User_Name,Image_File_Name list. Please give it a try.

Don’t Miss Global Splunk
User Groups Week!

Free LIVE events worldwide 2/8-2/12
Connect, learn, and collect rad prizes
and swag!