How can I send alerts based on usernames?

New Member

My log file contains several lines with the following format:
... Failed password for invalid user someuser from somehost

Now, I would like to send an e-mail alert every time I see this line for any new user.

Any ideas?


Tags (3)
0 Karma


Typically the way to track state in Splunk is via a lookup table.

Create a lookup with two fields -- user and firstSeen.

Then, do one of the following:

  1. Create two searches. The first just maintains the lookup table, and the second does your alerting based on a search using inputlookup instead of querying the indexed data.

  2. Create one search that pulls in your new events and the lookup table both, then outputs the updated lookup table, then filters the results to recent entries. Trigger the alert if any are found with firstSeen > now()-xx seconds.

New Member

Thanks, I'll try to work with lookup tables.


0 Karma
Get Updates on the Splunk Community!

Observability | How to Think About Instrumentation Overhead (White Paper)

Novice observability practitioners are often overly obsessed with performance. They might approach ...

Cloud Platform | Get Resiliency in the Cloud Event (Register Now!)

IDC Report: Enterprises Gain Higher Efficiency and Resiliency With Migration to Cloud  Today many enterprises ...

The Great Resilience Quest: 10th Leaderboard Update

The tenth leaderboard update (11.23-12.05) for The Great Resilience Quest is out >> As our brave ...