Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How do you filter by Host and Account_Name with inputlookup and display only differences?

chanthongphiob
Path Finder
‎02-27-2018 06:55 AM

I have currently a lookup table that consists of Account_Name and Host. This was created from Windows Event 4624 (An Account was successfully logged on) from a search parameter of the last 30 days. I am wanting to use the lookup table to filter the Account_Name and Hosts, and display in the new query the differences that the new search brings. For example,

Lookup Table:
Account_Name,Host
Alpha, comp1
Bravo, comp1,comp3
Charlie, comp5,comp6
Delta, comp4,comp8

New Logons Data:
Alpha, comp1,comp2
Bravo, comp2,comp3
Charlie, comp4,comp5,comp6
Delta, comp4,comp8

So the new results should provide me with:

Alpha, comp2
Bravo, comp2
Charlie, comp4

So far my query is as follow:

index=main EventCode=4624 NOT  [ | inputlookup lookuptable.csv ] | Table Account_Name Host

This is how I set up lookup tables with one field for filtering, but trying to filter from two fields has got me stuck.

Thanks in advance for any help.

0 Karma
Reply

somesoni2
Revered Legend
‎02-27-2018 09:04 AM

Assuming an event of EventCode 4624 has single Account_Name and Host mapping and your lookup has multiple Host entries separated by comma, try like this

index=main EventCode=4624 NOT [ | inputlookup lookuptable.csv | table Account_Name Host |  makemv Host delim="," | mvexpand Host] | Table Account_Name Host
0 Karma
Reply

chanthongphiob
Path Finder
‎02-27-2018 01:21 PM

The lookup table is delimited by a space.

However, I was mistaken about the table function. I used...

index=main EventCode=4624 | stats count values(ComputerName) AS Host by Account_Name | outputlookup lookuptable.csv

The results from the above query gave me my original lookup table. Now I want to produce another query to filter with the differences from Account_Name and Host.

The first solution did not filter anything. I ran the search without "NOT | inputlookup lookuptable.csv" and the results are the exact same with the "NOT | inputlookup lookuptable.csv" added to the query.

0 Karma
Reply
Get Updates on the Splunk Community!

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...