Splunk Search

Populate field based on subsearch

evetsleep
New Member

I have a Splunk query that parses out some Windows event log data. One of the things that I examine is the user name mentioned in the event to see if they are in a lookup file. Something like:

index=security EventCode=5136 | AdminName=AccountName | lookup helpdesk.csv AdminName OUTPUT AdminName AS HelpDesk | eval IsHelpDesk = if (match(HelpDesk,"^\w+"),"TRUE","FALSE") | table _time,AdminName,IsHelpDesk,User,OtherStuff

I generate the contents of helpdesk.csv ever morning (it's an ldapsearch that pulls the membership of some groups).

I am wondering if there is a way to do the above search without generating the helpdesk.csv lookup file every day and instead populate TRUE or FALSE for IsHelpDesk based on a subsearch (that uses ldapsearch to see if the user is a member of a group) to create a temporary lookup table so it can all be done in a single search?

0 Karma

richgalloway
SplunkTrust
SplunkTrust

IMO, a single ldapsearch query to populate the helpdesk.csv file would be more performant than a separate ldapsearch for each row found in the security index each time this query runs. Your AD admin will appreciate it.

---
If this reply helps you, Karma would be appreciated.
0 Karma

evetsleep
New Member

Yeah I am kind of hoping of a way to do it as a one-time thing (at that moment), but as part of a search. So generate a look up table and reference that table in the same search.

0 Karma

lakshman239
Influencer

If you have Splunk Enterprise, the users can be part of asset/identity lookups/KV store and the user fields will be auto extracted for you. In the absense of ES, your best would be to run a LDAP search each day or twice each day and update the single lookup and may be make it automated lookup?

0 Karma

richgalloway
SplunkTrust
SplunkTrust

Why? Doing so mean you'll be hitting the LDAP server each time the search runs instead of once each day to build the lookup file.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Get Updates on the Splunk Community!

Stay Connected: Your Guide to November Tech Talks, Office Hours, and Webinars!

🍂 Fall into November with a fresh lineup of Community Office Hours, Tech Talks, and Webinars we’ve ...

Transform your security operations with Splunk Enterprise Security

Hi Splunk Community, Splunk Platform has set a great foundation for your security operations. With the ...

Splunk Admins and App Developers | Earn a $35 gift card!

Splunk, in collaboration with ESG (Enterprise Strategy Group) by TechTarget, is excited to announce a ...