Why do I get this message?
Assuming implicit lookup table with filename sidtodn.csv
It seemed to me that I was fairly explicit about the lookup table:
Here's my search:
sourcetype="WinEventLog:Security" CategoryString="Directory Service Access" Accesses="Create Child"
| rename Additional_Info AS DN
| dedup DN
| join usetime=true earlier=false DN [search sourcetype=activedirectory admonEventType="update" displayName="$CimsUser*" | rename distinguishedName AS DN ]
| lookup sidtodn.csv objectSid as parentLink OUTPUT distinguishedName AS parent
| table parent name uid gid home unix_enabled User
Note, I'm having to join on DN's because GUID and SID output is broken in 4.1.5.
The easiest way to get rid of this message is to define the lookup in transforms.conf. For example:
[sidtodn]
filename = sidtodn.csv
Then you can refer to the lookup as lookup sidtodn ...
.
The easiest way to get rid of this message is to define the lookup in transforms.conf. For example:
[sidtodn]
filename = sidtodn.csv
Then you can refer to the lookup as lookup sidtodn ...
.
Thanks. That worked, but I strongly question the value of that error message.