Answers.. Second, you need to explain raw data.  What are in WinEventLog:Security?   --User account creation events.  Tells whom created a local account, when they created it and on what server they created it, and name of the local account.  Hence the 4720/624 event id's . What is the format of AccountName?   johndoe, johndoe, svcaccount1, svcaccount2, etc...   It looks like you really want to match ComputerName.  Does this field come with WinEventLog:Security?   --Yes it is tied to the data in splunk as example like "server1.xyz.com"  So trying to match ComputerName with either "name" or "fqdn" from csv file to match them as a lookup match.   What is the format of this this field?   --shown above. Why you think it will match both "fqdn" and "name" in Servers.csv?   --Because the database im querying is all logs from all of our Windows servers in Splunk and is mandatory for compliancy reasons.  The list of servers in the csv file MUST be in compliance and reporting Windows Security Event logs into Splunk.   What is the content of that field "name" in the table command?   --disregard this, i made a mistake as i am renaming it to ComputerName.  What i mean is that i can remove that out of the table command because ComputerName will be the output i need.    Does "name" come with WinEventLog:Security? --No its only in the csv.  Sorry for the confusion.   Third, you need to explain what the two fields "fqdn" and "name" are in that Servers.csv.  If I have to speculate, fqdn is a fully qualified domain name, and "name" is a Windows name.  I would assume that they carry different and incompatible formats, like fqdn name server123.example.com windows-a server456.example.com windows-b  --Yes correct this is the format and example.     input file looks like this Fqdn Name Ip Server1.abc.com Server1 1.2.3.4 Server2.abc.com Server2 1.2.3.5 Etc Etc etc   Input + existing splunk event codes 4720 or 624 =   = output like below matching fqdn or name as ComputerName. _time ComputerName EventCode CreatedBy New_User Ip_address     10:00am etc etc Server1.abc.com 4720 Johnd Svcacct34 1.2.3.4     xxxx Server2.abc.com 4720 Josephb Svcacct1234 1.2.3.5     xxx Etc Etc Etc Etc etc                                               ... View more

The query you sent is executing but the output results are not matching server names from my csv list. Example in the csv i may have server1 thru server2000.  (Server1..Server2...Server3....Server2000) by name.  The output results are showing server3000,server3001,server3002, no rhyme or reason, just not matching up to servers in the csv list.  The csv list should be the primary lookup for hostname or fqdn.  So instead of me having to write a massive query of 10k server names or run hundreds of queries, im just wanting to use inputlookup file to set the stage for the lookup.  I hope this makes more sense and apologies if i didn't explain well the first time.  🙂 Can you help me with making the csv the authoritative lookup source by name or fqdn?  I dont need both, but at least fqdn minimum.  Name was just a bonus lookup. ... View more

Thank you first of all for replying and helping on this issue.  What i am doing is using a csv file dumped out of a security tool that already has inventory of "name" or just netbios name and "fqdn" as FQDN of that same netbios name but just with the domain name added onto it of course.  My goal is to use this input csv file as the source scope of the lookup query to see what local accounts were created, by whom, and when, then matching that up against the csv scope list.  Hopefully that makes more sense. So on the inputlookup csv called "Servers.csv" i need to use that list that contains 2 columns of data, one is "fqdn" and the other is "name".  I need to use these as primary lookups to match data in Splunk query Windows event code.     ... View more