i am running a search that will look for failed authentication attempts of a user within a 1 minute window and get the Client IP address of the machines that the user was trying to authenticate from. to do that i use a transaction command with the UserID as the field.
it does what it is supposed to and it returns the client IP addresses as requested, however there are times that it returns multiple client IP addresses for the same user within the same time window. now I want to do a lookup for the IP address and return the Client name that is assigned to the IP address. it is all good if transaction returns only one IP address, however if the IP address returned from the transaction is more than one then the lookup only return value for one entry and the other found IP addresses will not be looked up.
any way to lookup for multiple values returned by the transaction command?
here is the search and lookup i am trying to run:
index=adsecurity AND (EventID=4625) OR (EventID=4771 AND AD_FailureCode="0x18") AND NOT tag=dc
| transaction UserID maxspan 1m
| where eventcount>10
| lookup Ops_DHCP_IP2MAC Client_IP as Client_IP output Client_Name,MAC_Address
| eval Client_NMF=if (Client_Name=="No Match Found!!",Client_IP,NULL)
| lookup Ops_Servers Client_IP as Client_NMF output Client_Name,MAC_Address
| table UserID Display_Name Client_IP Client_Name MAC_Address eventcount EventID
| sort 0 -eventcount
the first lookup looks for the IP address of the clients from dhcp and if it does not found a match then the second lookup will look for the IP address in a server list.