topic Re: Lookup table for search exclusions using a combination of multiple fields in Splunk Search

Lookup table for search exclusions using a combination of multiple fields

geoffmoraes — Mon, 26 Oct 2020 06:57:06 GMT

I have an alert to discover logins from accounts on servers and workstations. Some of these logins are normal and so I am attempting to create an exclusion for these events. This is a discovery process, and a list of normal logins is not known. At the moment, the exclusions are done with individual search commands for readability. But this query search lines are getting bigger by the day.

<base-search> | search NOT (accountName=svcAPP01 AND computerName=srv-APP1-blah) | search NOT (accountName=svcAPP02 AND computerName=srv-APP02-*) | search NOT (accountName=svcAPP03 AND computerName=srv-APP03-blah computerName=ws-somename-blah) | table _time, accountName, computerName

Is it possible to create an inputlookup table for such an exclusion, where the criteria are a combination of two fields; accountName and computerName?

Re: Lookup table for search exclusions using a combination of multiple fields

gcusello — Mon, 26 Oct 2020 07:16:21 GMT

Hi @geoffmoraes,

if you can define all the pairs accountName and computerName and the correlation is always NOT (accountName AND computerName) , you can put them in a lookup (called e.g. search_patterns.csv) containing only two fields (accountName and computerName) and use it in a search, something like this:

your search NOT [ | inputlookup search_patterns.csv | fields accountName computerName ] | ...

Ciao.

Giuseppe

Re: Lookup table for search exclusions using a combination of multiple fields

geoffmoraes — Mon, 26 Oct 2020 09:24:09 GMT

@gcusello That worked. Thanks!

Re: Lookup table for search exclusions using a combination of multiple fields

gcusello — Mon, 26 Oct 2020 09:28:34 GMT

Hi @geoffmoraes,

Good for you.

Ciao and happy splunking.

Giuseppe.

P.S.: Karma Points are appreciated 😉