cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
atul9771
Engager
Member since: ‎12-04-2018
‎02-28-2024
Community Statistics
Posts 8
Solutions 0
Karma Given 0
Karma Received 0
Member Since ‎12-04-2018
Activity Feed
View All

Re: Passing lookup value to search

by in Splunk Search
‎02-28-2024 04:26 PM
‎02-28-2024 04:26 PM
Brilliant, @yuanliu. Both solutions work. Thanks again. ... View more

Re: Passing lookup value to search

by in Splunk Search
‎02-28-2024 01:13 PM
‎02-28-2024 01:13 PM
Thank you, @yuanliu , for your quick response.  Your query returned authentication events for the first user in the users.csv file.  How can we modify the query to get the authentication events for all the users in the user.csv file?   ... View more

Passing lookup value to search

by in Splunk Search
‎02-28-2024 12:39 PM
‎02-28-2024 12:39 PM
I have users.csv as a lookup file with almost 20K users.  I'm writing a query for authentication events for a specific time range for all these users.  CSV file has only one column with the email address of each user and the column header is email. 1) Get the user email from the lookup user.csv file 2) pass user email in the search  3) Authentication counts per day for specific time range. I don't have email as a field in the authentication event. . i can get USER-EMAIL in the authentication event using  formula  Index="IndexName"| fields "_time", "eventType", "target{}.alternateId", "target{}.type" | | search "eventType" = "user.authentication.sso" | rename "target{}.alternateId" AS "targetId" | rename "target{}.type" AS "targetType" | eval "Application"=mvindex(targetId, mvfind(targetType, "AppInstance")) | eval "USER-EMAIL"=mvindex(targetId, mvfind(targetType, "AppUser")   authentication event {"actor": {"id": "00u1p2k8w5CVuKgeq4h7", "type": "User", "alternateId": "USER-EMAIL", "displayName": "USER-NAME", "detailEntry": null}, "device": null, "authenticationContext": {"authenticationProvider": null, "credentialProvider": null, "credentialType": null, "issuer": null, "interface": null, "authenticationStep": 0}, "displayMessage": "User single sign on to app", "eventType": "user.authentication.sso", "outcome": {"result": "SUCCESS", "reason": null}, "published": "2024-02-20T22:25:18.552Z", "signOnMode": "OpenID Connect",}, "target": [{"id": "XXXXXXX", "type": "AppInstance", "alternateId": "APPLICATION-NAME": "OpenID Connect Client", "detailEntry": {"signOnModeType": "OPENID_CONNECT"}}, {"id": "YYYYYY", "type": "AppUser", "alternateId": "USER-EMAIL, "displayName": "USER-NAME, "detailEntry": null}]}     Index="indexName" "eventType" = "user.authentication.sso" [|inputlookup "users.csv"] is not working. any help is appreciated.  ... View more
Labels

Re: query returned field passed to another query

by in Splunk Search
‎02-20-2024 02:53 PM
‎02-20-2024 02:53 PM
Thanks for your reply. but if the statement is not returning only a specific event user name.  here are two events. group.user_membership.add Event {"actor": {"id": "spr1g8od2gOPLTfra4h7", "type": "SystemPrincipal", "alternateId": "system@okta.com", "displayName": "Okta System", "detailEntry": null}, "client": {"userAgent": null, "zone": null, "device": null, "id": null, "ipAddress": null, "geographicalContext": null}, "device": null, "authenticationContext": {"authenticationProvider": null, "credentialProvider": null, "credentialType": null, "issuer": null, "interface": null, "authenticationStep": 0, "externalSessionId": "trs-tF3wuwOTRiKM_BZirBk9A"}, "displayMessage": "Add user to group membership", "eventType": "group.user_membership.add", "outcome": {"result": "SUCCESS", "reason": null}, "published": "2024-02-20T15:40:04.384Z", "securityContext": {"asNumber": null, "asOrg": null, "isp": null, "domain": null, "isProxy": null}, "severity": "INFO", "debugContext": {"debugData": {"triggeredByGroupRuleId": "0pr7fprux4jw2hORP4h7"}}, "legacyEventType": "core.user_group_member.user_add", "transaction": {"type": "JOB", "id": "cpb7g4ndq8ZaAR5S14h7", "detail": {}}, "uuid": "5115faa0-d006-11ee-84e8-0b1ac5c0434f", "version": "0", "request": {"ipChain": []}, "target": [{"id": "00u7g4ndmhZ2j2J1i4h7", "type": "User", "alternateId": "USER-EMAIL", "displayName": "USER-NAME", "detailEntry": null}, {"id": "00g7fpoiohiAF2JrY4h7", "type": "UserGroup", "alternateId": "unknown", "displayName": "GROUP-NAME", "detailEntry": null}]} user.authentication.sso Event {"actor": {"id": "00u1p2k8w5CVuKgeq4h7", "type": "User", "alternateId": "USER-EMAIL", "displayName": "USER-NAME", "detailEntry": null}, "device": null, "authenticationContext": {"authenticationProvider": null, "credentialProvider": null, "credentialType": null, "issuer": null, "interface": null, "authenticationStep": 0}, "displayMessage": "User single sign on to app", "eventType": "user.authentication.sso", "outcome": {"result": "SUCCESS", "reason": null}, "published": "2024-02-20T22:25:18.552Z", "signOnMode": "OpenID Connect",}, "target": [{"id": "0oa2n26twxcr3lNWO4h7", "type": "AppInstance", "alternateId": "APPLICATION-NAME": "OpenID Connect Client", "detailEntry": {"signOnModeType": "OPENID_CONNECT"}}, {"id": "0ua2n4im21IccI2Eh4h7", "type": "AppUser", "alternateId": "USER-EMAIL, "displayName": "USER-NAME, "detailEntry": null}]}   And my query Index= "IndexName"(eventType="group.user_membership.add" OR eventType="user.authentication.sso") | rename "target{}.alternateId" AS "targetId" |rename "target{}.type" AS "targetType" | eval User=if(eventType="group.user_membership.add",mvindex(targetId, mvfind(targetType, "User")),"SSO User") |spath "target{}.displayName" |rename target{}.displayName as grpID| eval groupName=mvindex(grpID, 1) | table User groupName | where eventType="user.authentication.sso"   What I'm looking is grab the user name and group name for  the  eventType="group.user_membership.add only , this event type will tell me when the user is added to the particular group then search the User name in the eventType="user.authentication.sso and display the result as group name and user name. Basically I want to get the list of users by group name started using authentication service. Thanks again for your time.    ... View more

query returned field passed to another query

by in Splunk Search
‎02-20-2024 08:41 AM
‎02-20-2024 08:41 AM
I need help to write a search query where the result from the one query is passed onto the second query 1 we import the users from the active directory group in the okta group and the event eventType="group.user_membership.add" captures this Json event Following the query get me the name of the group and user name. index="indexName"   eventType="group.user_membership.add" | spath "target{}.displayName" |rename target{}.displayName as grpID| eval groupName=mvindex(grpID, 1) |  rename "target{}.alternateId" AS "targetId" | rename "target{}.type" AS "targetType"| eval target_user=mvindex(targetId, mvfind(targetType, "User")) | table target_user groupName 2. After the user is added to the Okta group, I want to find the occurrence of the user authentications during time range  . I can separately find user authentication using eventType="user.authentication.sso" this event doesn't have a group name. index="indexName"   eventType="user.authentication.sso"  target_user  | stats count by date How do I pass the user in the first query to the second query. I cannot use subsearch since the main search eventype is not the same as the second sub search.   Basically, I want to create a report by groupname/username authentications for the selected time range Any help is appreciated. ... View more
Labels

Re: How do you extract multiple substrings from th...

by in Splunk Search
‎12-04-2018 09:44 PM
‎12-04-2018 09:44 PM
I figure out the error, Instead of P , you need to put actual field name. here is final syntax. Thanks for your help (?[^\s]+)([^]]+)]\s\"(?[^\"]+)\"\s\"(?[^\s]+)\s(?[^\s]+)\s(?[^\"]+) ... View more

Re: How do you extract multiple substrings from th...

by in Splunk Search
‎12-04-2018 07:48 PM
‎12-04-2018 07:48 PM
Thanks nagarjuna280 for your answer but I got the following error Regex: unrecognized character after (?P and error entry in the log file is 12-04-2018 21:43:51.453 ERROR dispatchRunner - RunDispatch::runDispatchThread threw error: Error in 'rex' command: Encountered the following error while compiling the regex '\w+\s+(?P[^\s]+)([^]]+)]\s"(?P[^"]+)"\s"(?P[^\s]+)\s(?P[^\s]+)\s(?P[^"]+)"': Regex: unrecognized character after (?P ... View more

How do you extract multiple substrings from the fo...

by in Splunk Search
‎12-04-2018 03:43 PM
‎12-04-2018 03:43 PM
I'm new to splunk. I have a log event in the following format. The report should capture the Hostname, Agentname and Resource. Also, I'd like to remove the duplicate entries. [Event] [Hostname] [Date/Time] [ClientIP] [UserDN] [Agentname] [Action] [Resource] [TransactionID] [Reason] [Status Message] [Impersonator Name] [Impersonator Dir Name] and log entry example is below AuthAccept Hostname [03/Dec/2018:17:43:06 -0600] "ClientIP UserDN" "Agentname GET /WMT_Logon/Account/LogOn?ViewFlag=false" [idletime=1800;maxtime=603603054;authlevel=5;] [0] [] [] CN = FirstName LastName host = HostName source = c:\Program Files (x86)\ca\siteminder\log\smaccess-dotoksm03pv.log sourcetype = smaccess I want hostname, Agentname, Resource and Resource in above example is /WMT_Logon/Account/LogOn?ViewFlag=false. But could be different for every event. I appreciate any help writing this search string. Thanks ... View more
Contact Me
Online Status
Offline
Date Last Visited
‎02-28-2024 06:50 PM