Hi All,
I'm not very experienced with Splunk searches and I haven't been able to get this working so I'm hoping someone can help me out. What I would like to do is the following:
Perform a search for all successful authentication attempts against our SSO system and extract the usernames.
Perform a search on each username in the results against a different sourcetype and see if any results are returned.
If no result is returned for a particular username, report on that fact.
I've come up with the following search to accomplish the first step:
sourcetype="sso" ValidateUsernamePasswordAgainstLDAP succeeded earliest=-25m latest=-10m | makemv delim="'" _raw | eval ssouser=mvindex(_raw,1) | table ssouser | dedup ssouser
My thinking was that in order to accomplish step (2), I would need to iterate over the results and use a subsearch. Since I came at this from a 'coding' perspective, I figured I'd need to use foreach to create a loop that iterates over the results:
sourcetype="sso" ValidateUsernamePasswordAgainstLDAP succeeded earliest=-25m latest=-10m | makemv delim="'" _raw | eval ssouser=mvindex(_raw,1) | table ssouser | dedup ssouser | foreach ssouser [search sourcetype="duo:authentication"]
It's as if this performs two separate searches, though: The results first show what's found with the subsearch (with nothing in the ssouser column), followed by the list of usernames found in the main search (which appear in the ssouser column). So obviously this isn't the way to go about it. I've since learned that the idea of using a loop isn't really the way to approach this, so instead I just tried a subsearch without foreach:
sourcetype="sso" ValidateUsernamePasswordAgainstLDAP succeeded earliest=-25m latest=-10m | makemv delim="'" _raw | eval ssouser=mvindex(_raw,1) | dedup ssouser | table ssouser [search sourcetype="duo:authentication"]
This returns the following error:
Error in 'table' command: Invalid argument: 'action=success'
So it seems that it's treating the results of the subsearch as an argument. I've been tweaking this search and reading posts by others trying to accomplish similar things but I haven't had any luck moving forward.
Any suggestions?
... View more