I have some trouble with search from csv list.
If in column is two words divided with space, searching done separately for both
Example:
sourcetype="WinEventLog:Security" ("Domain Admins") - gives correct result
litsearch (index=* sourcetype="WinEventLog:Security" "Domain Admins") | fields keepcolorder=t "*" "_bkt" "_cd" "_si" "host" "index" "linecount" "source" "sourcetype" "splunk_server"
if i try to do like this with list
sourcetype="WinEventLog:Security" [| inputlookup group_list.csv |
return 10 $group_name]
normalizedSearch litsearch (index=* sourcetype="WinEventLog:Security" ((Domain Admins) OR (Domain Users))) | fields keepcolorder=t "*" "_bkt" "_cd" "_si" "host" "index" "linecount" "source" "sourcetype" "splunk_server"
group_list.csv
group_name
Domain Admins
Domain Users
this search return result where is domain , users, admin found, but not "Domain Admins".
Tried adding quotes and delimiters, but this do not help
nr,group_name,desc
1,"Domain Admins",super
2,Domain Users,standard
I have added to csv like this
nr,group_name,desc
1,("Domain Admins"),super
2,("Domain Users"),standard
and quates are in search
normalizedSearch litsearch (index= sourcetype="WinEventLog:Security" ("Domain Admins" OR "Domain Users")) | fields keepcolorder=t "" "_bkt" "_cd" "_si" "host" "index" "linecount" "source" "sourcetype" "splunk_server"
Events returns exactly as from
index=* sourcetype="WinEventLog:Security" (("Domain Admins") OR ("Domain Users"))
only one moment that search is going long, but for start it is OK.
Thank you for advice!
Final search looks:
index=* sourcetype="WinEventLog:Security" [| inputlookup group_list.csv |
return 10 $group_name]
CSV
nr,group_name,desc
1,("Domain Admins"),super
2,("Domain Users"),standard
Try like this
sourcetype="WinEventLog:Security" [| inputlookup group_list.csv | eval group_name="\"".group_name."\""
return 10 $group_name]
OR
sourcetype="WinEventLog:Security" [| inputlookup group_list.csv | head 10 | table group_name | rename group_name as search]
Thanks for advice
I have added to csv like this
nr,group_name,desc
1,("Domain Admins"),super
2,("Domain Users"),standard
and quates are in search
normalizedSearch litsearch (index= sourcetype="WinEventLog:Security" ("Domain Admins" OR "Domain Users")) | fields keepcolorder=t "" "_bkt" "_cd" "_si" "host" "index" "linecount" "source" "sourcetype" "splunk_server"
Events returns exactly as from
index=* sourcetype="WinEventLog:Security" (("Domain Admins") OR ("Domain Users"))
only one moment that search is going long, but for start it is OK.
Thank you for advice!
Final search looks:
index=* sourcetype="WinEventLog:Security" [| inputlookup group_list.csv |
return 10 $group_name]
CSV
nr,group_name,desc
1,("Domain Admins"),super
2,("Domain Users"),standard
Try this:
index=* sourcetype="WinEventLog:Security" (("Domain Admins") OR ("Domain Users"))
Let me know what output you are receiving?
You show me tip. I have added to csv like this
nr,group_name,desc
1,("Domain Admins"),super
2,("Domain Users"),standard
and quates are in search
normalizedSearch litsearch (index=* sourcetype="WinEventLog:Security" ("Domain Admins" OR "Domain Users")) | fields keepcolorder=t "*" "_bkt" "_cd" "_si" "host" "index" "linecount" "source" "sourcetype" "splunk_server"
Events returns exactly as from
index=* sourcetype="WinEventLog:Security" (("Domain Admins") OR ("Domain Users"))
only one moment that search is going long, but for start it is OK.
Thank you for advice!
Final search looks:
index=* sourcetype="WinEventLog:Security" [| inputlookup group_list.csv |
return 10 $group_name]
CSV
nr,group_name,desc
1,("Domain Admins"),super
2,("Domain Users"),standard
use 101010
(code sample) to post search or code
you can try ('Domain Admins' OR 'Domain Users')?
This option does not help, search return no hits.
litsearch (index=* sourcetype="WinEventLog:Security" (('Domain Admins') OR ('Domain Users'))) | fields keepcolorder=t "*" "_bkt" "_cd" "_si" "host" "index" "linecount" "source" "sourcetype" "splunk_server"
I think it perform 'Domain AND Admin' search not "Domain Admin"