Hello all,
Looking for some help integrating a lookup table into my failed login search. What I am trying to achieve is to look for any events matching the base search I have below using each of the account name variations in the table. Any help is much appreciated.
base search: index=wineventlog OR index=h_wineventlog EventCode=4625 user=(LL,CL,TL would go here) | stats count by user
example of table below :
Look a inputlookup https://docs.splunk.com/Documentation/Splunk/8.0.4/SearchReference/Inputlookup
You will want to match with your base search and perform logic on the fields returned from the lookup and base.
HTH
Chris
sorry I have read through the documentation but can you provide a brief example of what you mean?