I have a Splunk query that parses out some Windows event log data. One of the things that I examine is the user name mentioned in the event to see if they are in a lookup file. Something like:
index=security EventCode=5136 | AdminName=AccountName | lookup helpdesk.csv AdminName OUTPUT AdminName AS HelpDesk | eval IsHelpDesk = if (match(HelpDesk,"^\w+"),"TRUE","FALSE") | table _time,AdminName,IsHelpDesk,User,OtherStuff
I generate the contents of helpdesk.csv ever morning (it's an ldapsearch that pulls the membership of some groups).
I am wondering if there is a way to do the above search without generating the helpdesk.csv lookup file every day and instead populate TRUE or FALSE for IsHelpDesk based on a subsearch (that uses ldapsearch to see if the user is a member of a group) to create a temporary lookup table so it can all be done in a single search?
IMO, a single ldapsearch query to populate the helpdesk.csv file would be more performant than a separate ldapsearch for each row found in the security index each time this query runs. Your AD admin will appreciate it.
Yeah I am kind of hoping of a way to do it as a one-time thing (at that moment), but as part of a search. So generate a look up table and reference that table in the same search.
If you have Splunk Enterprise, the users can be part of asset/identity lookups/KV store and the user fields will be auto extracted for you. In the absense of ES, your best would be to run a LDAP search each day or twice each day and update the single lookup and may be make it automated lookup?
Why? Doing so mean you'll be hitting the LDAP server each time the search runs instead of once each day to build the lookup file.