Solved: Search results for specific users in the lookup fi...

qbolbk59 · ‎09-23-2017

Hi All,

I am trying to list out activity of providing local admin rights other than the authorized user accounts. The list of user authorized user accounts are added in a lookup table called "ITSD.csv" and i am running the below query

index=winendpoint EventCode=4732 Group_Name="Administrators" [|inputlookup ITSD.csv | table User]

The result is not giving me any results, even though there are events of local admin rights provided by users in the list.

Can somebody help ?

DalJeanis · ‎09-25-2017

Chances are, there are other fields in your ITSD.csv file, and it's the table command that you are missing, but here is a step by step debug process that you can use in these situations.

Steps to debug -

1) Find one user ("mysampleuser") in the list who has an event in the time range.

2) Run this search...

 index=winendpoint EventCode=4732 Group_Name="Administrators"  "mysampleuser"

3) Look at the field list and find the exact spelling of the field name that contains the value "mysampleuser". let's suppose it is called mygrantorfield.

4) Now try this, and it should get the same record.

 index=winendpoint EventCode=4732 Group_Name="Administrators"  mygrantorfield="mysampleuser"

5) Now try this, and it should get the same record.

 index=winendpoint EventCode=4732 Group_Name="Administrators" 
  [|makeresults | eval User="mysampleuser" | rename User as mygrantorfield | table  mygrantorfield]

6) Now try this, and it should get the same record, plus more

 index=winendpoint EventCode=4732 Group_Name="Administrators" 
  [|inputlookup ITSD.csv | rename User as mygrantorfield | table  mygrantorfield]

View solution in original post

DalJeanis · ‎09-25-2017

Chances are, there are other fields in your ITSD.csv file, and it's the table command that you are missing, but here is a step by step debug process that you can use in these situations.

Steps to debug -

1) Find one user ("mysampleuser") in the list who has an event in the time range.

2) Run this search...

 index=winendpoint EventCode=4732 Group_Name="Administrators"  "mysampleuser"

3) Look at the field list and find the exact spelling of the field name that contains the value "mysampleuser". let's suppose it is called mygrantorfield.

4) Now try this, and it should get the same record.

 index=winendpoint EventCode=4732 Group_Name="Administrators"  mygrantorfield="mysampleuser"

5) Now try this, and it should get the same record.

 index=winendpoint EventCode=4732 Group_Name="Administrators" 
  [|makeresults | eval User="mysampleuser" | rename User as mygrantorfield | table  mygrantorfield]

6) Now try this, and it should get the same record, plus more

 index=winendpoint EventCode=4732 Group_Name="Administrators" 
  [|inputlookup ITSD.csv | rename User as mygrantorfield | table  mygrantorfield]

worshamn · ‎09-23-2017

My guess is that you need to rename User to user (fieldnames are case sensitive) and probably should use format so:
index=winendpoint EventCode=4732 Group_Name="Administrators" [|inputlookup ITSD.csv | fields User|rename User AS user|format]

qbolbk59 · ‎09-23-2017

Tried this as well. But no Luck. It seems that something is missing. I have given complete read and write permission to all user roles in the search app. But still it's not working.

When i try to load the lookup table using the below query, it's working fine

|inputlookup ITSD.csv | table User

The table has just the following entries
User
ABC
XYZ
DEF

worshamn · ‎09-25-2017

Sorry, I guess I don't understand the issue. One thing to think of if you think it is a permissions issue is that lookup table files can have permissions set to private as well. Probably worth a look >
Settings > Lookups > Lookup table files

Search results for specific users in the lookup field

Routing logs with Splunk OTel Collector for Kubernetes

Welcome to the Splunk Community!

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM