Solved: Problem with a macro

fdevera · ‎06-22-2020

`get_seclabel(host,"domain_controller","-90d")`

Macro expanded:

| inputlookup sec_label where (label="domain_controller" type="host" last_updated>=1585079881.000000)

In the input lookup there are the following columns: label, type, and value. The results of this lookup give me everything that is a domain controller. I'm trying to exclude anything that matches in the value column so I'm using this in a search but it's not excluding the list properly:

NOT
[| `get_seclabel(host,"domain_controller","-90d")`

I still see NADC01 as a returned value in my search even though I'm excluding it here. Any idea what I'm doing wrong?

anilchaithu · ‎06-22-2020

@fdevera

I assume you are using the inputlookup as subsearch. Please output the field required from the lookup like here

NOT
[| `get_seclabel(host,"domain_controller","-90d")` | fileds value ]

and match the field name to the field name in main search. If it is host, rename value to host

NOT
[| `get_seclabel(host,"domain_controller","-90d")` | fileds value | rename value as host]

Hope this helps

View solution in original post

anilchaithu · ‎06-22-2020

@fdevera

I assume you are using the inputlookup as subsearch. Please output the field required from the lookup like here

NOT
[| `get_seclabel(host,"domain_controller","-90d")` | fileds value ]

and match the field name to the field name in main search. If it is host, rename value to host

NOT
[| `get_seclabel(host,"domain_controller","-90d")` | fileds value | rename value as host]

Hope this helps

anilchaithu · ‎06-22-2020

if this helps an upvote would be appreciated

Problem with a macro

Index This | When is October more than just the tenth month?

Observe and Secure All Apps with Splunk

What’s New & Next in Splunk SOAR

Are you a member of the Splunk Community?

Problem with a macro

Index This | When is October more than just the tenth month?

Observe and Secure All Apps with Splunk

What’s New & Next in Splunk SOAR