https://community.splunk.com/t5/Splunk-Search/How-to-create-a-list-to-collect-quot-well-knowed-process-quot/m-p/602968#M209859 <P class="lia-align-left">Thanks,&nbsp; it works perfectly!</P><P class="lia-align-left">Is there a semantic to don't append the same processes in the .csv file?</P><P class="lia-align-left">Because I run the search everyday (for a while) to appending new processes (to train the model about the main processes in the machine) and i would to prevent double processes in .csv file.</P><P class="lia-align-left">Thanks a lot!</P> Thu, 23 Jun 2022 08:58:56 GMT raffaelecervino 2022-06-23T08:58:56Z https://community.splunk.com/t5/Splunk-Search/How-to-create-a-list-to-collect-quot-well-knowed-process-quot/m-p/602768#M209811 <P>Hi,</P> <P>I'm doing a project and I've installed Splunk Trial Enterprise on a server and Universal Forwarder on other three servers (with Ubuntu) that sends me logs. On forwarders exist a script that sends me logs of every processes that's running on server.</P> <P>I would to create a dynamic list where logs of processes is added and tagged as "Well-Knowned Processes". &nbsp;<BR />After that when new logs of processes come to indexer they are compared with logs on dynamic list and if the process was not recognized (doesn't exist in the list) the alert is triggered.</P> <P>I would to do that to check suspicious process.</P> <P>Thanks&nbsp;</P> <DIV> <DIV class="">&nbsp;</DIV> </DIV> Thu, 23 Jun 2022 18:16:57 GMT https://community.splunk.com/t5/Splunk-Search/How-to-create-a-list-to-collect-quot-well-knowed-process-quot/m-p/602768#M209811 raffaelecervino 2022-06-23T18:16:57Z https://community.splunk.com/t5/Splunk-Search/How-to-create-a-list-to-collect-quot-well-knowed-process-quot/m-p/602774#M209815 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/247088">@raffaelecervino</a>,</P><P>you have two choices:</P><UL><LI>schedule a search that lists all the "well_known" processes and stores them in a lookup to use for the following checks;</LI><LI>run a long search.</LI></UL><P>I prefer the first solution because is quicker but it requires a little bit more work.</P><P>in few words, you have to:</P><UL><LI>create a lookup called e.g.&nbsp;processes.csv in which there's at least one column called process (the same field name to search),</LI><LI>schedule a search like the following using a frequency that depends on when you want to update your list (e.g. one time a day or every hour),</LI></UL><LI-CODE lang="markup">index=your_index | dedup process | sort process | table process | outputlookup processes.csv append=true</LI-CODE><UL><LI>&nbsp;schedule an alert like the following to trigger when there are results (results&gt;0):</LI></UL><LI-CODE lang="markup">| index=your_index NOT [ | inputlookup processes.csv | dedup process | fields process ] | dedup process | sort process | table process</LI-CODE><P>In this way you have a very quick search that you can run also with an high frequency and, if you want, you can also manually modify the lookup adding or deleting processes.</P><P>Ciao.</P><P>Giuseppe</P> Wed, 22 Jun 2022 11:17:46 GMT https://community.splunk.com/t5/Splunk-Search/How-to-create-a-list-to-collect-quot-well-knowed-process-quot/m-p/602774#M209815 gcusello 2022-06-22T11:17:46Z https://community.splunk.com/t5/Splunk-Search/How-to-create-a-list-to-collect-quot-well-knowed-process-quot/m-p/602967#M209858 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/247088">@raffaelecervino</a>&nbsp;,</P><P>good for you, see next time!</P><P>Ciao and happy splunking</P><P>Giuseppe</P><P>P.S.: Karma Points are appreciated <span class="lia-unicode-emoji" title=":winking_face:">😉</span></P> Thu, 23 Jun 2022 08:52:12 GMT https://community.splunk.com/t5/Splunk-Search/How-to-create-a-list-to-collect-quot-well-knowed-process-quot/m-p/602967#M209858 gcusello 2022-06-23T08:52:12Z https://community.splunk.com/t5/Splunk-Search/How-to-create-a-list-to-collect-quot-well-knowed-process-quot/m-p/602968#M209859 <P class="lia-align-left">Thanks,&nbsp; it works perfectly!</P><P class="lia-align-left">Is there a semantic to don't append the same processes in the .csv file?</P><P class="lia-align-left">Because I run the search everyday (for a while) to appending new processes (to train the model about the main processes in the machine) and i would to prevent double processes in .csv file.</P><P class="lia-align-left">Thanks a lot!</P> Thu, 23 Jun 2022 08:58:56 GMT https://community.splunk.com/t5/Splunk-Search/How-to-create-a-list-to-collect-quot-well-knowed-process-quot/m-p/602968#M209859 raffaelecervino 2022-06-23T08:58:56Z https://community.splunk.com/t5/Splunk-Search/How-to-create-a-list-to-collect-quot-well-knowed-process-quot/m-p/602971#M209861 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/247088">@raffaelecervino</a>,</P><P>you could create another scheduled search that every day removes duplicates, something like this:</P><LI-CODE lang="markup">| inputlookup processes.csv | dedup process | sort process | table process | outputlookup processes.csv</LI-CODE><P>or modify the sceduled search for populating the lookup:</P><LI-CODE lang="markup">index=your_index | fields process | append [ | inputlookup processes.csv | fields process ] | dedup process | sort process | table process | outputlookup processes.csv</LI-CODE><P>Ciao.</P><P>Giuseppe</P> Thu, 23 Jun 2022 09:08:08 GMT https://community.splunk.com/t5/Splunk-Search/How-to-create-a-list-to-collect-quot-well-knowed-process-quot/m-p/602971#M209861 gcusello 2022-06-23T09:08:08Z