Nested inputlookup with join or eval

jeradb · ‎02-01-2024

My current search that is working is -

| from datamodel:Remote_Access_Authentication
| rex field=dest_nt_domain "^(?<dest_nt_domain>[^\.]+)" 
| join dest_nt_domain [|inputlookup Domain | rename name AS dest_nt_domain | fields dest_nt_domain]
| table dest_nt_domain

My problem is that this search only returns values that match. How can I change this to an evaluation? If the two items match "Domain Accout" if != "Non Domain Account"

My input lookup only contains one item.

PickleRick · ‎02-01-2024

I have a feeling that you're thinking in SQL and want to bring the same paradigm to Splunk.

Try describing what data you have and what you want to get as a result. We'll see how to get there.

jeradb · ‎02-01-2024

My data model is searching for all windows logins.

index=* EventCode=4624 OR (EventCode=4625 OR ((EventCode=4768 OR EventCode=4771 OR EventCode=4776) status="failure")) NOT (user=*$) NOT (user=system) NOT (user=*-*)

with this search i get a field called dest_nt_domain. This field will have results as -

Test

Test.local

other

My above search has the rex command to remove everything after the period. I finally have a kvlookup called Domain with a field of name. It contains one value - Test. Im wanting to evaluate the above data vs the one value in my kvlookup.

Nested inputlookup with join or eval

lookup

rex

subsearch

Pro Tips for First-Time .conf Attendees: Advice from SplunkTrust

Raise Your Skills at the .conf25 Builder Bar: Your Splunk Developer Destination

Hunt Smarter, Not Harder: Discover New SPL “Recipes” in Our Threat Hunting Webinar

Are you a member of the Splunk Community?

Nested inputlookup with join or eval

lookup

rex

subsearch

Pro Tips for First-Time .conf Attendees: Advice from SplunkTrust

Raise Your Skills at the .conf25 Builder Bar: Your Splunk Developer Destination

Hunt Smarter, Not Harder: Discover New SPL “Recipes” in Our Threat Hunting Webinar