topic Re: Add priority to systems and setup alerts for critical systems in Splunk Search

Add priority to systems and setup alerts for critical systems

spj2 — Wed, 06 Nov 2013 17:59:16 GMT

Hi,

I am trying to find automatic way of adding asset priority (Critical, High etc.) based on IP address and/or hostname in the Splunk Enterprise app so that I can setup alerts and prioritize investigations on these. I know that Splunk PCI Compliance app does that but we don't have it. I have searched the forum too, but haven't found anything.

Does anyone know of a way to achieve this?

Thanks in advance.

SPJ

Re: Add priority to systems and setup alerts for critical systems

lguinn2 — Wed, 06 Nov 2013 19:06:03 GMT

I suggest using a lookup table. Your CSV file might look like this

AssetList.csv

assetId,priority
192.168.15.22,Medium
fileserver01,Low

Here is the Splunk tutorial Use field lookups In my examples below, I assume that you have uploaded the AssetList.csv file and created a lookup called assetLookup.

Ultimately, you should be able to do something like this:

yoursearchhere
| lookup assetLookup src_ip as assetId OUTPUT priority
| stats count by priority

yoursearchhere
| lookup assetLookup host as assetId OUTPUT priority
| where priority="High" OR priority="Critical"

Re: Add priority to systems and setup alerts for critical systems

spj2 — Thu, 07 Nov 2013 18:48:25 GMT

Thanks it works with a slight modification:

yoursearchhere
| lookup assetLookup assetId as src_ip OUTPUT priority
| stats count by priority

yoursearchhere
| lookup assetLookup assetId as host OUTPUT priority
| where priority="High" OR priority="Critical"