How can I send alerts based on usernames?

New Member

My log file contains several lines with the following format:
... Failed password for invalid user someuser from somehost

Now, I would like to send an e-mail alert every time I see this line for any new user.

Any ideas?


Tags (3)
0 Karma


Typically the way to track state in Splunk is via a lookup table.

Create a lookup with two fields -- user and firstSeen.

Then, do one of the following:

  1. Create two searches. The first just maintains the lookup table, and the second does your alerting based on a search using inputlookup instead of querying the indexed data.

  2. Create one search that pulls in your new events and the lookup table both, then outputs the updated lookup table, then filters the results to recent entries. Trigger the alert if any are found with firstSeen > now()-xx seconds.

New Member

Thanks, I'll try to work with lookup tables.


0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!