In order to not see the permitted (or whitelisted) results, we add a where clause that filters out the search results of which the field whitelisted is set to true.This means that our search result will be as follows: This field is only set to "true" in search results for which a match will be found in the CSV-file. We also define a new field "whitelisted".Joining with the CSV file is done with the inputlookup command. We do a left join in order to also keep the events in the search results for which no match is found in the CSV-file. We will do a left-join on the EventCode, Account_Name and ComputerName fields. We will then join the search results with the CSV-file. We start by selecting all events that have EventCode 4624.The search query is constructed as follows: | table _time, EventCode, Account_Name, ComputerName | join type=left EventCode, Account_Name, ComputerName The final search query will be as follows: appendpipe stats count by clusterTitle join max0 clusterTitle inputlookup clusterTable.csvfields - countstats values () by clusterTitle. We will configure our search query so that we will only see search results that are not defined in the CSV-file. What we want to do now is correlate the search results with the entries in the CSV-file. Click on Save and the CSV file will be available for use in search queries.In our example, we'll upload our file as server_logon_whitelist.csv Ive done this in the past and it has worked perfectly but for some reason, in this case the data is not coming back as expected and Im hoping someone can shine a light on the issue. The destination filename will later be used in the search query. Im trying to match the dates on specific event logs with an inputlookup file. Select the CSV file that you want to upload, and type a destination filename.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |