Hello,
I want to detect workstations authenticated to the active directory that are not compliant with our naming conventions.( hostname should start with the country code followed by 6 numbers. Exemple for a host from italy :IT000121).
I have already a lookup file (| inputlookup code_countries.csv | table alpha-2), but I don't know how to compare it with the 'Workstation' field in my active index to make it match the naming convention I described above.
Regards,
Give this a try
Your base search to get all workstation names e.g. | tstats count WHERE index=windows by host
| searc NOT ([| inputlookup code_countries.csv | table alpha-2 | eval host='aplha-2'."*" | table host])
| where match(host,"^\w{3}\d+")
Hi @karimossl,
let me understand: do you want to find all the Computernames from Active Directory logs that aren't in the lookup or what else?
if this is your requirement, you could run:
index=win* NOT [ | inputlookup code_countries.csv | rename alpha-2 AS ComputerName | fields ComputerName ]
| dedup ComputerName
| sort ComputerName
| table ComputerName
Ciao.
Giuseppe
Hello @gcusello
No, i want to find Computernames that are not conform to a naming convention.
The Computer name should start with the country code (e.g., Italy: IT, France: FR, USA: US), then followed by 6 digits.
Computer Name: US111220 => Good
Computer Name: DESKTOP-121 => BAD
Computer Name: FR000121 => Good
Computer Name: Kali => BAD
Best Regards,
Hi @karimoss,
in this case, you have to create a regex to search for ComputerName:
something like this:
| regex ComputerName!="^?![A-Z]{2}\d{6}"
Ciao.
Giuseppe