My current search that is working is -
| from datamodel:Remote_Access_Authentication
| rex field=dest_nt_domain "^(?<dest_nt_domain>[^\.]+)"
| join dest_nt_domain [|inputlookup Domain | rename name AS dest_nt_domain | fields dest_nt_domain]
| table dest_nt_domain
My problem is that this search only returns values that match. How can I change this to an evaluation? If the two items match "Domain Accout" if != "Non Domain Account"
My input lookup only contains one item.
I have a feeling that you're thinking in SQL and want to bring the same paradigm to Splunk.
Try describing what data you have and what you want to get as a result. We'll see how to get there.
My data model is searching for all windows logins.
index=* EventCode=4624 OR (EventCode=4625 OR ((EventCode=4768 OR EventCode=4771 OR EventCode=4776) status="failure")) NOT (user=*$) NOT (user=system) NOT (user=*-*)
with this search i get a field called dest_nt_domain. This field will have results as -
Test
Test.local
other
My above search has the rex command to remove everything after the period. I finally have a kvlookup called Domain with a field of name. It contains one value - Test. Im wanting to evaluate the above data vs the one value in my kvlookup.