Splunk Search

Search results for specific users in the lookup field

qbolbk59
Path Finder

Hi All,

I am trying to list out activity of providing local admin rights other than the authorized user accounts. The list of user authorized user accounts are added in a lookup table called "ITSD.csv" and i am running the below query

index=winendpoint EventCode=4732 Group_Name="Administrators" [|inputlookup ITSD.csv | table User]

The result is not giving me any results, even though there are events of local admin rights provided by users in the list.

Can somebody help ?

0 Karma
1 Solution

DalJeanis
SplunkTrust
SplunkTrust

Chances are, there are other fields in your ITSD.csv file, and it's the table command that you are missing, but here is a step by step debug process that you can use in these situations.


Steps to debug -

1) Find one user ("mysampleuser") in the list who has an event in the time range.

2) Run this search...

 index=winendpoint EventCode=4732 Group_Name="Administrators"  "mysampleuser"

3) Look at the field list and find the exact spelling of the field name that contains the value "mysampleuser". let's suppose it is called mygrantorfield.

4) Now try this, and it should get the same record.

 index=winendpoint EventCode=4732 Group_Name="Administrators"  mygrantorfield="mysampleuser"

5) Now try this, and it should get the same record.

 index=winendpoint EventCode=4732 Group_Name="Administrators" 
  [|makeresults | eval User="mysampleuser" | rename User as mygrantorfield | table  mygrantorfield]

6) Now try this, and it should get the same record, plus more

 index=winendpoint EventCode=4732 Group_Name="Administrators" 
  [|inputlookup ITSD.csv | rename User as mygrantorfield | table  mygrantorfield]

View solution in original post

0 Karma

DalJeanis
SplunkTrust
SplunkTrust

Chances are, there are other fields in your ITSD.csv file, and it's the table command that you are missing, but here is a step by step debug process that you can use in these situations.


Steps to debug -

1) Find one user ("mysampleuser") in the list who has an event in the time range.

2) Run this search...

 index=winendpoint EventCode=4732 Group_Name="Administrators"  "mysampleuser"

3) Look at the field list and find the exact spelling of the field name that contains the value "mysampleuser". let's suppose it is called mygrantorfield.

4) Now try this, and it should get the same record.

 index=winendpoint EventCode=4732 Group_Name="Administrators"  mygrantorfield="mysampleuser"

5) Now try this, and it should get the same record.

 index=winendpoint EventCode=4732 Group_Name="Administrators" 
  [|makeresults | eval User="mysampleuser" | rename User as mygrantorfield | table  mygrantorfield]

6) Now try this, and it should get the same record, plus more

 index=winendpoint EventCode=4732 Group_Name="Administrators" 
  [|inputlookup ITSD.csv | rename User as mygrantorfield | table  mygrantorfield]
0 Karma

worshamn
Contributor

My guess is that you need to rename User to user (fieldnames are case sensitive) and probably should use format so:
index=winendpoint EventCode=4732 Group_Name="Administrators" [|inputlookup ITSD.csv | fields User|rename User AS user|format]

0 Karma

qbolbk59
Path Finder

Tried this as well. But no Luck. It seems that something is missing. I have given complete read and write permission to all user roles in the search app. But still it's not working.

When i try to load the lookup table using the below query, it's working fine

|inputlookup ITSD.csv | table User

The table has just the following entries
User
ABC
XYZ
DEF

0 Karma

worshamn
Contributor

Sorry, I guess I don't understand the issue. One thing to think of if you think it is a permissions issue is that lookup table files can have permissions set to private as well. Probably worth a look >
Settings > Lookups > Lookup table files

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...