Lookup table help

tkerr357 · ‎07-01-2020

Hello all,

Looking for some help integrating a lookup table into my failed login search. What I am trying to achieve is to look for any events matching the base search I have below using each of the account name variations in the table. Any help is much appreciated.

base search: index=wineventlog OR index=h_wineventlog EventCode=4625 user=(LL,CL,TL would go here) | stats count by user

example of table below :

chrisboy68 · ‎07-02-2020

Look a inputlookup https://docs.splunk.com/Documentation/Splunk/8.0.4/SearchReference/Inputlookup

You will want to match with your base search and perform logic on the fields returned from the lookup and base.

HTH

Chris

tkerr357 · ‎07-07-2020

sorry I have read through the documentation but can you provide a brief example of what you mean?

Lookup table help

lookup

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Quantify Your Splunk Investment Impact: Introducing Savings Metrics to Value Insights

Event Series: Telemetry Pipeline Management

Kick the Tires Before You Commit: A Hands-On Tour of the Splunk Observability Cloud ...

Join the Conversation

Lookup table help

lookup

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Quantify Your Splunk Investment Impact: Introducing Savings Metrics to Value Insights

Event Series: Telemetry Pipeline Management

Kick the Tires Before You Commit: A Hands-On Tour of the Splunk Observability Cloud ...