I have a Splunk query that parses out some Windows event log data. One of the things that I examine is the user name mentioned in the event to see if they are in a lookup file. Something like:
index=security EventCode=5136 | AdminName=AccountName | lookup helpdesk.csv AdminName OUTPUT AdminName AS HelpDesk | eval IsHelpDesk = if (match(HelpDesk,"^\w+"),"TRUE","FALSE") | table _time,AdminName,IsHelpDesk,User,OtherStuff
I generate the contents of helpdesk.csv ever morning (it's an ldapsearch that pulls the membership of some groups).
I am wondering if there is a way to do the above search without generating the helpdesk.csv lookup file every day and instead populate TRUE or FALSE for IsHelpDesk based on a subsearch (that uses ldapsearch to see if the user is a member of a group) to create a temporary lookup table so it can all be done in a single search?
... View more