Solved: values Shared by Search output and Lookup

DavisLee · ‎01-24-2019

TIA. This has probably been asked and answered dozens of times but my brain is now mush.

The following search gives me a column named "Account_Name":

eventtype=wineventlog_security EventCode=4768 (Result_Code=0x12 OR Result_Code=0x17) Client_Address!="*123.456.789.4*" | regex Account_Name="^[^\\$]+$" | stats  count by Account_Name dest_nt_host dest_nt_domain Client_Address | dedup Account_Name keepevents=true | where count>7 | sort -count

I have a lookup search that produces "DisabledUsers.csv" where the first column is "sAMAccountName". I want to output the matches, in other words, the users that are common to both sources: the accounts that are identical between "Account_Name" and "sAMAccountName".

Suggestions?

Vijeta · ‎01-24-2019

eventtype=wineventlog_security EventCode=4768 (Result_Code=0x12 OR Result_Code=0x17) Client_Address!="123.456.789.4" | regex Account_Name="^[^\\$]+$" | stats count by Account_Name dest_nt_host dest_nt_domain Client_Address | dedup Account_Name keepevents=true | where count>7 | sort -count| join Account_Name[|inputlookup DisabledUsers.csv| rename "sAMAccountName" as Account_Name]

View solution in original post

Vijeta · ‎01-24-2019

eventtype=wineventlog_security EventCode=4768 (Result_Code=0x12 OR Result_Code=0x17) Client_Address!="123.456.789.4" | regex Account_Name="^[^\\$]+$" | stats count by Account_Name dest_nt_host dest_nt_domain Client_Address | dedup Account_Name keepevents=true | where count>7 | sort -count| join Account_Name[|inputlookup DisabledUsers.csv| rename "sAMAccountName" as Account_Name]

values Shared by Search output and Lookup

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!

New in Observability Cloud - Explicit Bucket Histograms