How can I send alerts based on usernames?

New Member

My log file contains several lines with the following format:
... Failed password for invalid user someuser from somehost

Now, I would like to send an e-mail alert every time I see this line for any new user.

Any ideas?


Tags (3)
0 Karma


Typically the way to track state in Splunk is via a lookup table.

Create a lookup with two fields -- user and firstSeen.

Then, do one of the following:

  1. Create two searches. The first just maintains the lookup table, and the second does your alerting based on a search using inputlookup instead of querying the indexed data.

  2. Create one search that pulls in your new events and the lookup table both, then outputs the updated lookup table, then filters the results to recent entries. Trigger the alert if any are found with firstSeen > now()-xx seconds.

New Member

Thanks, I'll try to work with lookup tables.


0 Karma
Get Updates on the Splunk Community!

Registration for Splunk University is Now Open!

Are you ready for an adventure in learning?   Brace yourselves because Splunk University is back, and it's ...

Splunkbase | Splunk Dashboard Examples App for SimpleXML End of Life

The Splunk Dashboard Examples App for SimpleXML will reach end of support on Dec 19, 2024, after which no new ...

Understanding Generative AI Techniques and Their Application in Cybersecurity

Watch On-Demand Artificial intelligence is the talk of the town nowadays, with industries of all kinds ...