Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Search results for specific users in the lookup field

qbolbk59
Path Finder
‎09-23-2017 12:29 PM

Hi All,

I am trying to list out activity of providing local admin rights other than the authorized user accounts. The list of user authorized user accounts are added in a lookup table called "ITSD.csv" and i am running the below query

index=winendpoint EventCode=4732 Group_Name="Administrators" [|inputlookup ITSD.csv | table User]

The result is not giving me any results, even though there are events of local admin rights provided by users in the list.

Can somebody help ?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

DalJeanis
Legend
‎09-25-2017 08:32 AM

Chances are, there are other fields in your ITSD.csv file, and it's the table command that you are missing, but here is a step by step debug process that you can use in these situations.

Steps to debug -

1) Find one user ("mysampleuser") in the list who has an event in the time range.

2) Run this search...

 index=winendpoint EventCode=4732 Group_Name="Administrators"  "mysampleuser"

3) Look at the field list and find the exact spelling of the field name that contains the value "mysampleuser". let's suppose it is called mygrantorfield.

4) Now try this, and it should get the same record. 

 index=winendpoint EventCode=4732 Group_Name="Administrators"  mygrantorfield="mysampleuser"

5) Now try this, and it should get the same record.

 index=winendpoint EventCode=4732 Group_Name="Administrators" 
  [|makeresults | eval User="mysampleuser" | rename User as mygrantorfield | table  mygrantorfield]

6) Now try this, and it should get the same record, plus more

 index=winendpoint EventCode=4732 Group_Name="Administrators" 
  [|inputlookup ITSD.csv | rename User as mygrantorfield | table  mygrantorfield]

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

DalJeanis
Legend
‎09-25-2017 08:32 AM

Chances are, there are other fields in your ITSD.csv file, and it's the table command that you are missing, but here is a step by step debug process that you can use in these situations.

Steps to debug -

1) Find one user ("mysampleuser") in the list who has an event in the time range.

2) Run this search...

 index=winendpoint EventCode=4732 Group_Name="Administrators"  "mysampleuser"

3) Look at the field list and find the exact spelling of the field name that contains the value "mysampleuser". let's suppose it is called mygrantorfield.

4) Now try this, and it should get the same record. 

 index=winendpoint EventCode=4732 Group_Name="Administrators"  mygrantorfield="mysampleuser"

5) Now try this, and it should get the same record.

 index=winendpoint EventCode=4732 Group_Name="Administrators" 
  [|makeresults | eval User="mysampleuser" | rename User as mygrantorfield | table  mygrantorfield]

6) Now try this, and it should get the same record, plus more

 index=winendpoint EventCode=4732 Group_Name="Administrators" 
  [|inputlookup ITSD.csv | rename User as mygrantorfield | table  mygrantorfield]
0 Karma
Reply
Solved! Jump to solution

worshamn
Contributor
‎09-23-2017 06:45 PM

My guess is that you need to rename User to user (fieldnames are case sensitive) and probably should use format so:
index=winendpoint EventCode=4732 Group_Name="Administrators" [|inputlookup ITSD.csv | fields User|rename User AS user|format]

0 Karma
Reply
Solved! Jump to solution

qbolbk59
Path Finder
‎09-23-2017 11:39 PM

Tried this as well. But no Luck. It seems that something is missing. I have given complete read and write permission to all user roles in the search app. But still it's not working.

When i try to load the lookup table using the below query, it's working fine

|inputlookup ITSD.csv | table User

The table has just the following entries
User
ABC
XYZ
DEF

0 Karma
Reply
Solved! Jump to solution

worshamn
Contributor
‎09-25-2017 06:41 AM

Sorry, I guess I don't understand the issue. One thing to think of if you think it is a permissions issue is that lookup table files can have permissions set to private as well. Probably worth a look >
Settings > Lookups > Lookup table files

0 Karma
Reply
Get Updates on the Splunk Community!

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...