I have the below search:
index=winevents host=prdaddc02 OR host=PRDADDC01 OR host=DZITHQ-DC3 sourcetype="WinEventLog:Security" signature="An account was successfully logged on" OR signature="Special privileges assigned to new logon" srcnthost=* NOT [| inputlookup listkasperSky.csv] NOT [| inputlookup listnotusekasperSky.csv] | fields srcnthost | table srcnthost | dedup srcnthost
This search compare between the above lookups table and the windows security logs, if any host not existing in those lookups table but existing in windows logs will appear in the result, this search compare for (srcnthost) field.
After run the search Splunk show result no existing in windows logs, why appeared this results?
Please help me in that.
The issue may have to do with what is in your csv files.
This reformatted version should give you the same (lack of) result as your code, but run it first anyway.
index=winevents sourcetype="WinEventLog:Security" src_nt_host=* (host=prdaddc02 OR host=PRDADDC01 OR host=DZITHQ-DC3) (signature="An account was successfully logged on" OR signature="Special privileges assigned to new logon") | where NOT [| inputlookup list_kasperSky.csv] AND NOT [| inputlookup list_not_use_kasperSky.csv] | fields src_nt_host | table src_nt_host | dedup src_nt_host
If that works, then stop. the problem will have been the way the bloom filters work. I can explain that if it fixes the problem.
If that does not work, then run these as separate searches...
| inputlookup list_kasperSky.csv | head 10 | format | inputlookup list_not_use_kasperSky.csv | head 10 | format
Those will give you a look at how the code is interpreting and formatting your NOTs. It will look something like
((fieldname1="value1A" AND fieldname2="value2A" AND...) OR (fieldname1="value1B" AND fieldname2="value2B" AND...) OR ....)
Check to make sure that what you are doing makes sense.
Let us know what you find, and we will continue to help you debug.
Thank you for reply.
I have used the above search but change
| where NOT [| inputlookup listkasperSky.csv] AND
NOT [| inputlookup listnotusekasperSky.csv] because not work to:
NOT [inputlookup listkasper.csv]
NOT [inputlookup listnotusekasper.csv]
and when execute | inputlookup list_kasperSky.csv | head 10 | format you can see the results:
( ( srcnthost="ABH-QAHTANIMS" ) OR ( srcnthost="HQR-AALTHAWAD" ) OR ( srcnthost="HQR-NAFJANMA" ) OR ( srcnthost="TBK-CAM1" ) OR ( srcnthost="HQR-ANAZIAB" ) OR ( srcnthost="HQR-CE2" ) OR ( srcnthost="DAM-OWAMA" ) OR ( srcnthost="HQR-AGENT337" ) OR ( srcnthost="HQR-GALHAZZAN-T" ) OR ( srcnthost="HQR-HABAHUSSAIN" ) )
the issue still not resolve..
Please advise me in that