Splunk Enterprise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Why doesn't kvStore lookup work, but join does?

plaid_blanket
Explorer
‎02-01-2023 07:30 AM

I've got a kvStore lookup, AD_Obj_user, defined with fields objectSid, OU, sAMAccountName, and others.  It has case-insensitive matching.

I've got events that contain the field Sid.  I want to lookup the sAMAccountName and automate the lookup, but right now not even the manual lookup works.

This works:

 

 

 

| inputlookup AD_Obj_User where objectSid=S-1-2-34-56789012-345678901-234567890-123456

    | table objectSid sAMAccountName OU

 

 

 

but this does not work:

 

 

 

index=windows_client source="WinEventLog:PowerShell"  Sid=S-1-2-34-56789012-345678901-234567890-123456
| lookup AD_Obj_User objectSid AS Sid 
| table  OU Sid

 

 

 

I can do the lookup successfully, manually, by using this:

 

 

 

index=windows_client source="WinEventLog:PowerShell" Sid=S-1-2-34-56789012-345678901-234567890-123456
| eval objectSid=Sid
| join type=left objectSid [| inputlookup AD_Obj_User 
    | table objectSid sAMAccountName OU]
| eval User=sAMAccountName
| fields - sAMAccountName

 

 

 

but it won't get me towards automating the lookup.

Any ideas?  I'm stumped.

Labels (1)
Labels
0 Karma
Reply

plaid_blanket
Explorer
‎02-01-2023 01:12 PM

Nope, no luck.

2023-02-01_14-06-51.jpg

If it helps, doing the lookup DOES do something, because this

index=windows_client source="WinEventLog:PowerShell" Sid=S-1-2-34-56789012-345678901-234567890-123456
| eval objectSid="this has content"
| lookup AD_Obj_User objectSid AS Sid OUTPUT objectSid
| table  OU Sid objectSid

returns a table that has the Sid column populated, but the other two columns blank (i.e., the lookup overwrites the "this has content" stuff in objectSid).

0 Karma
Reply

shivanshu1593
Builder
‎02-01-2023 09:32 AM

Try like this:

 

index=windows_client source="WinEventLog:PowerShell"  Sid=S-1-2-34-56789012-345678901-234567890-123456
| lookup AD_Obj_User objectSid AS Sid OUTPUT objectSid as Sid
| table  OU Sid

 

++If it helps, please consider accepting as answer++

Thank you,
Shiv
###If you found the answer helpful, kindly consider upvoting/accepting it as the answer as it helps other Splunkers find the solutions to similar issues###
0 Karma
Reply
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...

New in Observability Cloud - Explicit Bucket Histograms

Splunk introduces native support for histograms as a metric data type within Observability Cloud with Explicit ...