Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Search using results of a search

LynneEss
Engager
‎06-10-2021 08:31 AM

I have a working search that we use to give a list of the members of admin groups in Active Directory:

| inputlookup AD_Groups_LDAP_list
| where group_name="Domain Admin"  OR group_name="Local Admin"
| mvexpand group_members
| table cn, group_members

 

Some of the group_members are groups themselves so I would like to do a further search to find the members of the groups that are members of the admin groups (hope this makes sense)

I can identify which group_members are another group by the naming conventions we use (the groups will always begin with "Role_") but I'm not sure how I can do the next query to return the members of the "Role_" groups within the same search.

 

Reply
1 Solution
Solved! Jump to solution
Solution

rupkumar4sec
Path Finder
‎06-10-2021 09:00 AM

Not a best one but I guess it will do the job

| inputlookup AD_Groups_LDAP_list
| where group_name="Domain Admin"  OR group_name="Local Admin"
| mvexpand group_members
| table cn, group_members
| lookup AD_Groups_LDAP_list group_name as group_members OUTPUT group_members as group_members1
|  mvexpand group_members1
| eval group_members = coalesce(group_members1, group_members)

 

View solution in original post

Reply
Solved! Jump to solution
Solution

rupkumar4sec
Path Finder
‎06-10-2021 09:00 AM

Not a best one but I guess it will do the job

| inputlookup AD_Groups_LDAP_list
| where group_name="Domain Admin"  OR group_name="Local Admin"
| mvexpand group_members
| table cn, group_members
| lookup AD_Groups_LDAP_list group_name as group_members OUTPUT group_members as group_members1
|  mvexpand group_members1
| eval group_members = coalesce(group_members1, group_members)

 

Reply
Get Updates on the Splunk Community!

Tech Talk Recap | Mastering Threat Hunting

Mastering Threat HuntingDive into the world of threat hunting, exploring the key differences between ...

Observability for AI Applications: Troubleshooting Latency

If you’re working with proprietary company data, you’re probably going to have a locally hosted LLM or many ...

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?

In the age of AI, every tool promises to make our lives easier. From summarizing content to writing code, ...