I would look at that but as it's splunkcloud i have no terminal access to the instance to do that. Roll back would be easier as i could copy the entire app directory and then hack away  ... View more

It's splunkcloud so I believe it's hosted on AWS not Azure. I think i'm just going to have to bruteforce it and create a CSV with outputlookup that runs regularlly. And see if the dev of that app has any insights as to the issue. ... View more

I thought about it the case sensitivty and wiether it's lower or upper case s doesn't seem to impact the results from the lookup with the search. Performing your equality test with the upper case is the result is SAME with the lower case s the result is DIFF ... View more

Thanks for going through the effort. I'm not sure what is occuring. the lookup is a KV Store. I decided to export it with the "splunk app for lookup file editing" as a csv and re-import it as CSV attempting to maintain the same data. To my surprise as a csv lookup that contains the same data and fields. The lookup works as expected.   | inputlookup AD_Obj_User_TEST.csv | search sid_lookup=S-0-0-00-0000000000-0000000000-00000000-000002 | lookup AD_Obj_User_TEST.csv sAMAccountName as sAMAccountName output sid_lookup as "SID via SAM" | lookup AD_Obj_User_TEST.csv sid_lookup as sid_lookup output sid_lookup as "SID via SID" | table "SID via SAM", "SID via SID"   SID via SAM SID via SID S-0-0-00-0000000000-0000000000-00000000-000002 S-0-0-00-0000000000-0000000000-00000000-000002   The SH/Idx are both cloud instances so I have little say about the underlying OS ... View more

Thanks both for your posts: To add more context this lookup is created and maintained by the splunk app "MS Windows AD Objects" @bowesmana: Apologies i know "it doesn't work" is non-descriptive. I get no errors executing the search with any of the lookup statements, it just does not return any fields from the lookup from the below: | lookup AD_Obj_User sid_lookup as account_sid output displayName as "DisplayName1" I performed your search suggestion and the results are what I see with my previous search query. I added a new field with a value that i know exists and works with this lookup and extracted the sid_lookup field to compare the results.   | makeresults | eval account_sid="S-0-0-00-0000000000-0000000000-00000000-000001" | eval account_sam="doej" | lookup AD_Obj_User sid_lookup as account_sid output displayName as "DisplayName1" | lookup AD_Obj_User sAMAccountName as account_sam output displayName as "DisplayName2", sid_lookup as "lookup_account_sid"    Results: DisplayName1 DisplayName2 _time account_sam account_sid lookup_account_sid (empty) John Doe 00:00:00 doej S-0-0-00-0000000000-0000000000-00000000-000001 S-0-0-00-0000000000-0000000000-00000000-000001   @yuanliu: For the sake of posterity, please just ignore the complete search query in my original post. I decided to include it so that the entire picture was shared. There are a total of 26 headers in this lookup that is built by "MS Windows AD Objects". Here is an example of how some of those fields are populated. badPwdCount cn whenChanged whenCreated isDeleted displayName sAMAccountName sid_lookup 0 john doe 00:00:00 00:00:00 no John Doe doej S-0-0-00-0000000000-0000000000-00000000-000001   Below is a simplified search, quering just the lookup in question with the same result:   index=wineventlog source=WinEventLog:Security EventCode=4728 | rex field=member_obj_sam "(?<account_sid>\w-\w-\w-\w\w-[0-9]+-[0-9]+-[0-9]+-[0-9]+") | lookup AD_Obj_User sAMAccountName as src_user output displayName as "Admin Display Name" | lookup AD_Obj_User sid_lookup as account_sid output displayName as "Account Display Name 1" | lookup AD_Obj_User sAMAccountName as member output displayName as "Account Display Name 2"   src_user & member both map correctly and extract the fields requested and rename them. sid_lookup  fails to return anything, the field exists in the lookup and has data such as "S-0-0-00-0000000000-0000000000-00000000-000002" performing the below resturns the results in the aforementioned lookup fields example.   |inputlookup AD_Obj_User | search sid_lookup="S-0-0-00-0000000000-0000000000-00000000-000002"   The examples of the events that this search is quering is below, it is the same event type however the data in some of the events is different, one has a human-readable username the other the user's sid(security identifier). The "member_obj_sam" field will be populated with both username and sid, I am using the lookup to return some useful information such as the users full name. Example 1)   11/10/2022 12:38:46 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4728 EventType=0 Type=Information ComputerName=domain-controller.corp TaskCategory=Security Group Management OpCode=Info RecordNumber=0000000000 Keywords=Audit Success Message=A member was added to a security-enabled global group. Subject: Security ID: CORP\admin Account Name: admin Account Domain: corp Logon ID: 0x000000000 Member: Security ID: CORP\doej Account Name: CN=John Doe,OU=corp-user,OU=Users,DC=corp,DC=com Group: Security ID: CORP\power_users Group Name: power_users Group Domain: CORP   Example 2)   1/04/2022 10:10:53 AM LogName=Security EventCode=4728 EventType=0 ComputerName=domain-controller2.corp SourceName=Microsoft Windows security auditing. Type=Information RecordNumber=0000000000 Keywords=Audit Success TaskCategory=Security Group Management OpCode=Info Message=A member was added to a security-enabled global group. Subject: Security ID: S-0-0-00-0000000000-0000000000-00000000-000002 Account Name: admin Account Domain: CORP Logon ID: 0x000000003 Member: Security ID: S-0-0-00-0000000000-0000000000-00000000-000001 Account Name: N=John Doe,OU=corp-user,OU=Users,DC=corp,DC=com Group: Security ID: S-0-0-00-0000000000-0000000000-00000000-000003 Group Name: auditors Group Domain: CORP Additional Information: Privileges: -     ... View more