Hello! I am attempting to find events based on names in a CSV file (I am attempting to build a search to identify security group name changes). However, I appear to be missing something since I do not get any results.
Here is the search I am trying, but it is not presenting any results:
(EventCode=4781)
[inputlookup Groups.csv | rename Security_ID AS Old_Account_Name]
Here is what I have and have tried:
I have a Groups.csv file that looks like this that contains the groups I would like to search against:
Security_ID
*\Group1
*\Group2
*\Group3
I have tested renaming the header and this correctly shows the contents of my CSV file with the renamed header as expected:
| inputlookup Groups.csv | rename Security_ID AS Old_Account_Name
I am also able to successfully get results when I do this:
(EventCode=4781)
(Old_Account_Name="*\Group1")
However, I am not able to perform the original search, which is to search for events that contain any of the groups in the CSV file.
I appear to be missing something - can someone please help correct my search query?
Thanks!
Update 1:
With micahkemp's help below, I have identified that my original search was faulty since the field "Old_Account_Name" in the event does not contain a domain prefix, i.e. "Old_Account_Name" in the Splunk event shows as "Group1" instead of "Domain\Group1", and therefore, I should not be looking for "*\Group1", but rather "Group1" only. What I need help with now is how to either create a substring in the table, or replace the characters "*" with "" in the table - can anyone help me with this?
Thanks!
... View more