Solved: Re: Assuming implicit lookup table with filename b...

mpatnode · ‎09-23-2010

Why do I get this message?

Assuming implicit lookup table with filename sidtodn.csv

It seemed to me that I was fairly explicit about the lookup table:

Here's my search:

sourcetype="WinEventLog:Security" CategoryString="Directory Service Access" Accesses="Create Child"
| rename Additional_Info AS DN
| dedup DN
| join  usetime=true earlier=false  DN [search sourcetype=activedirectory admonEventType="update" displayName="$CimsUser*" | rename distinguishedName AS DN ]
| lookup sidtodn.csv objectSid as parentLink OUTPUT distinguishedName AS parent
| table parent name uid gid home unix_enabled User

Note, I'm having to join on DN's because GUID and SID output is broken in 4.1.5.

Stephen_Sorkin · ‎09-23-2010

The easiest way to get rid of this message is to define the lookup in transforms.conf. For example:

[sidtodn]
filename = sidtodn.csv

Then you can refer to the lookup as lookup sidtodn ....

View solution in original post

Stephen_Sorkin · ‎09-23-2010

The easiest way to get rid of this message is to define the lookup in transforms.conf. For example:

[sidtodn]
filename = sidtodn.csv

Then you can refer to the lookup as lookup sidtodn ....

mpatnode · ‎11-03-2010

Thanks. That worked, but I strongly question the value of that error message.

Assuming implicit lookup table with filename blah.csv

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...

Splunk APM: New Product Features + Community Office Hours Recap!

Index This | Forward, I’m heavy; backward, I’m not. What am I?