Splunk Enterprise
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Why doesn't kvStore lookup work, but join does?

plaid_blanket
Explorer
‎02-01-2023 07:30 AM

I've got a kvStore lookup, AD_Obj_user, defined with fields objectSid, OU, sAMAccountName, and others.  It has case-insensitive matching.

I've got events that contain the field Sid.  I want to lookup the sAMAccountName and automate the lookup, but right now not even the manual lookup works.

This works:

 

 

 

| inputlookup AD_Obj_User where objectSid=S-1-2-34-56789012-345678901-234567890-123456

    | table objectSid sAMAccountName OU

 

 

 

but this does not work:

 

 

 

index=windows_client source="WinEventLog:PowerShell"  Sid=S-1-2-34-56789012-345678901-234567890-123456
| lookup AD_Obj_User objectSid AS Sid 
| table  OU Sid

 

 

 

I can do the lookup successfully, manually, by using this:

 

 

 

index=windows_client source="WinEventLog:PowerShell" Sid=S-1-2-34-56789012-345678901-234567890-123456
| eval objectSid=Sid
| join type=left objectSid [| inputlookup AD_Obj_User 
    | table objectSid sAMAccountName OU]
| eval User=sAMAccountName
| fields - sAMAccountName

 

 

 

but it won't get me towards automating the lookup.

Any ideas?  I'm stumped.

Labels (1)
Labels
0 Karma
Reply

plaid_blanket
Explorer
‎02-01-2023 01:12 PM

Nope, no luck.

2023-02-01_14-06-51.jpg

If it helps, doing the lookup DOES do something, because this

index=windows_client source="WinEventLog:PowerShell" Sid=S-1-2-34-56789012-345678901-234567890-123456
| eval objectSid="this has content"
| lookup AD_Obj_User objectSid AS Sid OUTPUT objectSid
| table  OU Sid objectSid

returns a table that has the Sid column populated, but the other two columns blank (i.e., the lookup overwrites the "this has content" stuff in objectSid).

0 Karma
Reply

shivanshu1593
Builder
‎02-01-2023 09:32 AM

Try like this:

 

index=windows_client source="WinEventLog:PowerShell"  Sid=S-1-2-34-56789012-345678901-234567890-123456
| lookup AD_Obj_User objectSid AS Sid OUTPUT objectSid as Sid
| table  OU Sid

 

++If it helps, please consider accepting as answer++

Thank you,
Shiv
###If you found the answer helpful, kindly consider upvoting/accepting it as the answer as it helps other Splunkers find the solutions to similar issues###
0 Karma
Reply
Register for .conf25!
Get Updates on the Splunk Community!

AppDynamics Summer Webinars

This summer, our mighty AppDynamics team is cooking up some delicious content on YouTube Live to satiate your ...

SOCin’ it to you at Splunk University

Splunk University is expanding its instructor-led learning portfolio with dedicated Security tracks at .conf25 ...

Credit Card Data Protection & PCI Compliance with Splunk Edge Processor

Organizations handling credit card transactions know that PCI DSS compliance is both critical and complex. The ...