I have a query to search particular event id's from Active Directory and see what Targets these apply to. Instead of listing 100 different AD groups, I chose to use a lookup table. My query is as follows:
index=<index name> EventID IN (4728,4729) TargetUserName IN
[| inputlookup Test_Splunk_Lookup_Table_v2.csv
| return 200 "$Group_Name"]
| eval EventID=case(EventID=="4728","Added",EventID=="4729","Removed")| rename Computer AS "Domain Controller",TargetUserName AS "Group",EventID AS "Action"| table "_time","SubjectUserName","Action","MemberName","Group","Domain Controller"
The search works well as long as the Group Names in the lookup tables are unique. But if there is an entry in the lookup table that has derivatives(i.e. AD_Group), it returns all the derivatives also instead of what is in the lookup table only.
EX. Lookup Table
Group_Name column contains "AD_Group", "AD_Group_1", "AD_Group_2"
The search returns all the above groups plus additional groups not in the lookup table; AD_Group_3, AD_Group_4, etc...
I need to know how I can just return the entries in the list and not the derivatives of AD_Group.
... View more