Alerting
Highlighted

How can I send alerts based on usernames?

New Member

My log file contains several lines with the following format:
... Failed password for invalid user someuser from somehost

Now, I would like to send an e-mail alert every time I see this line for any new user.

Any ideas?

Thanks,
Rafael

Tags (3)
0 Karma
Highlighted

Re: How can I send alerts based on usernames?

Motivator

Typically the way to track state in Splunk is via a lookup table.

Create a lookup with two fields -- user and firstSeen.

Then, do one of the following:

  1. Create two searches. The first just maintains the lookup table, and the second does your alerting based on a search using inputlookup instead of querying the indexed data.

  2. Create one search that pulls in your new events and the lookup table both, then outputs the updated lookup table, then filters the results to recent entries. Trigger the alert if any are found with firstSeen > now()-xx seconds.

Highlighted

Re: How can I send alerts based on usernames?

New Member

Thanks, I'll try to work with lookup tables.

Regards,
Rafael

0 Karma
Speak Up for Splunk Careers!

We want to better understand the impact Splunk experience and expertise has has on individuals' careers, and help highlight the growing demand for Splunk skills.