topic Is it possible to alert on something that is NOT in a lookup file? in Splunk Search

Is it possible to alert on something that is NOT in a lookup file?

Svill321 — Tue, 27 Jun 2017 21:04:18 GMT

Hello everyone,

Basically exactly what the title says. I made a white list of approved accounts and would like to alert on successful logins for accounts that are NOT on that list. So far, what I have is very basic:

| inputlookup test_lookup | return account

The issue is that I can't find anything on the logic needed to match for accounts that are not in the file.

Re: Is it possible to alert on something that is NOT in a lookup file?

horsefez — Tue, 29 Sep 2020 14:39:53 GMT

Hi,

I do white- and blacklisting via lookup files.

The logic behind that evolves around this

For example this will give you only results for events that src_ip does not show up in the ip_whitelist lookup table.

| inputlookup ip_whitelist ip AS src_ip OUTPUT ip AS src_ip2 | where isnull(src_ip2)

Re: Is it possible to alert on something that is NOT in a lookup file?

cmerriman — Tue, 27 Jun 2017 21:23:25 GMT

You might try the set diff command. http://docs.splunk.com/Documentation/Splunk/6.6.1/SearchReference/Set

It takes two lists and basically finds the differences

Re: Is it possible to alert on something that is NOT in a lookup file?

somesoni2 — Tue, 27 Jun 2017 21:28:47 GMT

Try like this

your base search to get account logins NOT [| inputlookup test_lookup | table account ]  | table ...relevant field to show in alert...

Above assumes that your logs have a field called account which has exactly same value as account field in the lookup table. If the field names are different, add a rename command in subsearch. You can then setup alert to get fired when number of events are greater than 0.