Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Populate field based on subsearch

evetsleep
New Member
‎02-20-2019 04:38 AM

I have a Splunk query that parses out some Windows event log data. One of the things that I examine is the user name mentioned in the event to see if they are in a lookup file. Something like:

index=security EventCode=5136 | AdminName=AccountName | lookup helpdesk.csv AdminName OUTPUT AdminName AS HelpDesk | eval IsHelpDesk = if (match(HelpDesk,"^\w+"),"TRUE","FALSE") | table _time,AdminName,IsHelpDesk,User,OtherStuff

I generate the contents of helpdesk.csv ever morning (it's an ldapsearch that pulls the membership of some groups).

I am wondering if there is a way to do the above search without generating the helpdesk.csv lookup file every day and instead populate TRUE or FALSE for IsHelpDesk based on a subsearch (that uses ldapsearch to see if the user is a member of a group) to create a temporary lookup table so it can all be done in a single search?

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎02-20-2019 05:59 AM

IMO, a single ldapsearch query to populate the helpdesk.csv file would be more performant than a separate ldapsearch for each row found in the security index each time this query runs. Your AD admin will appreciate it.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

evetsleep
New Member
‎02-20-2019 06:03 AM

Yeah I am kind of hoping of a way to do it as a one-time thing (at that moment), but as part of a search. So generate a look up table and reference that table in the same search.

0 Karma
Reply

lakshman239
Influencer
‎02-28-2019 01:22 AM

If you have Splunk Enterprise, the users can be part of asset/identity lookups/KV store and the user fields will be auto extracted for you. In the absense of ES, your best would be to run a LDAP search each day or twice each day and update the single lookup and may be make it automated lookup?

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎02-22-2019 05:31 AM

Why? Doing so mean you'll be hitting the LDAP server each time the search runs instead of once each day to build the lookup file.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Splunk Community Badges!

  Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...