How can I send alerts based on usernames?

New Member

My log file contains several lines with the following format:
... Failed password for invalid user someuser from somehost

Now, I would like to send an e-mail alert every time I see this line for any new user.

Any ideas?


Tags (3)
0 Karma


Typically the way to track state in Splunk is via a lookup table.

Create a lookup with two fields -- user and firstSeen.

Then, do one of the following:

  1. Create two searches. The first just maintains the lookup table, and the second does your alerting based on a search using inputlookup instead of querying the indexed data.

  2. Create one search that pulls in your new events and the lookup table both, then outputs the updated lookup table, then filters the results to recent entries. Trigger the alert if any are found with firstSeen > now()-xx seconds.

New Member

Thanks, I'll try to work with lookup tables.


0 Karma
Get Updates on the Splunk Community!

Splunk Observability Cloud | Unified Identity - Now Available for Existing Splunk ...

Raise your hand if you’ve already forgotten your username or password when logging into an account. (We can’t ...

Index This | How many sides does a circle have?

February 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

Registration for Splunk University is Now Open!

Are you ready for an adventure in learning?   Brace yourselves because Splunk University is back, and it's ...