Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Populate field based on subsearch

evetsleep
New Member
‎02-20-2019 04:38 AM

I have a Splunk query that parses out some Windows event log data. One of the things that I examine is the user name mentioned in the event to see if they are in a lookup file. Something like:

index=security EventCode=5136 | AdminName=AccountName | lookup helpdesk.csv AdminName OUTPUT AdminName AS HelpDesk | eval IsHelpDesk = if (match(HelpDesk,"^\w+"),"TRUE","FALSE") | table _time,AdminName,IsHelpDesk,User,OtherStuff

I generate the contents of helpdesk.csv ever morning (it's an ldapsearch that pulls the membership of some groups).

I am wondering if there is a way to do the above search without generating the helpdesk.csv lookup file every day and instead populate TRUE or FALSE for IsHelpDesk based on a subsearch (that uses ldapsearch to see if the user is a member of a group) to create a temporary lookup table so it can all be done in a single search?

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎02-20-2019 05:59 AM

IMO, a single ldapsearch query to populate the helpdesk.csv file would be more performant than a separate ldapsearch for each row found in the security index each time this query runs. Your AD admin will appreciate it.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

evetsleep
New Member
‎02-20-2019 06:03 AM

Yeah I am kind of hoping of a way to do it as a one-time thing (at that moment), but as part of a search. So generate a look up table and reference that table in the same search.

0 Karma
Reply

lakshman239
Influencer
‎02-28-2019 01:22 AM

If you have Splunk Enterprise, the users can be part of asset/identity lookups/KV store and the user fields will be auto extracted for you. In the absense of ES, your best would be to run a LDAP search each day or twice each day and update the single lookup and may be make it automated lookup?

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎02-22-2019 05:31 AM

Why? Doing so mean you'll be hitting the LDAP server each time the search runs instead of once each day to build the lookup file.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars this month. This ...

They're back! Join the SplunkTrust and MVP at .conf24

With our highly anticipated annual conference, .conf, comes the fez-wearers you can trust! The SplunkTrust, as ...

Enterprise Security Content Update (ESCU) | New Releases

Last month, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...