Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Lookup question

OgoNARA
Explorer
‎10-08-2024 09:39 PM

Hi,

 

I'm pretty new to Splunk and I have a simple question that maybe one of you guys could help me figure out. I have a search that I'm using to find the latest login events for a specific set of users. The problem is that there are about 130 users and I tried specifying the users in the search using (Account_Name=user1 OR Account_Name=user2 OR Account_Name=user3.......) I tried entering all 130 but it didn't work I noticed there was a limit after some point, and then I'd stop receiving results. So I did some research and I noticed people mentioned lookup files. So I created a CSV file with the list of actual users that I'd like to run a report on. how can I join the lookup file to the query so I'm only joining the values from the "UserID" field in my lookup table to the field "Account_Name" that comes with the windows event logs that I'm using to build the query. So far this is my query how could I use the lookup to assist to only filter the 130 users. 

 

index=wineventlog sourcetype=wineventlog EventCode=4624 Account_Name!=*$
| stats latest(_time) as last_login_time by Account_Name
| convert ctime(last_login_time) as "Last Login Time"
| rename Account_Name as "User"
| sort - last_login_time
| table User "Last Login Time"
Labels (3)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

neerajs_81
Builder
‎10-08-2024 11:01 PM

Assuming your lookup file containing the user ids has the column name  "Account_Name"  which matches the field name in the windows events,  you can do something like this:

 

index=wineventlog sourcetype=wineventlog EventCode=4624 [|inputlookup my_lookup_file.csv | fields Account_Name]
| stats ......
.....
....

 

 
I verified it, it works in my env.  Just make sure the column_name / field_name in lookup is correct to based on what you want to filter on.    
PS: Hit "MARK as Answer" if this solves your query.

View solution in original post

Reply
Solved! Jump to solution
Solution

neerajs_81
Builder
‎10-08-2024 11:01 PM

Assuming your lookup file containing the user ids has the column name  "Account_Name"  which matches the field name in the windows events,  you can do something like this:

 

index=wineventlog sourcetype=wineventlog EventCode=4624 [|inputlookup my_lookup_file.csv | fields Account_Name]
| stats ......
.....
....

 

 
I verified it, it works in my env.  Just make sure the column_name / field_name in lookup is correct to based on what you want to filter on.    
PS: Hit "MARK as Answer" if this solves your query.

Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

After a whole week of being on call, you fell asleep on your keyboard, and you hit a sequence of buttons that ...

SplunkTrust Application Period is Officially OPEN!

It's that time, folks! The application/nomination period for the 2026-2027 SplunkTrust is officially open. If ...