Alerting
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

comparing a field and external file

aniketb
Path Finder
‎07-25-2012 10:28 AM

Hello all,

I'm a very new splunk user. I have this question:

I have a list of verified hostnames. I can put them in any file, .txt or .csv, its just a list.
I also have my hostname field in logs correctly extracted.

I would like to set up an alert if the hostname doesn't match with any approved one from the list.

How should I go ahead with it? Answers or even pointers would be helpful.

Reply
1 Solution
Solved! Jump to solution
Solution

cburr2012
Path Finder
‎07-25-2012 11:45 AM

aniketb,

1) Create the list of verified hostnames as a CSV file. It is easy if the column containing the hostname values is the same name as Splunk's hostname. (i.e. if Splunk calls it "host=bob" your header should be "host" without the quotes.)

2) Open Splunk.

3) Navigate to Manager --> Lookups --> Add New --> Lookup Table File

4) Upload your file and name it hostname_lookup.csv (or whatever you want, have the filename end in .csv)

5) Under Manager --> Lookups --> Add New --> Lookup Definition

6) Name: hostname_lookup , lookup-file: hostname_lookup.csv

7) Now define your search query: index=this_index query_terms_here NOT [|inputlookup hostname_lookup | fields host]

😎 Set your time and click Create --> Alert

9) Schedule your alert and have it trigger when your results are great than 0.

Hope this helps.

View solution in original post

Reply
Solved! Jump to solution
Solution

cburr2012
Path Finder
‎07-25-2012 11:45 AM

aniketb,

1) Create the list of verified hostnames as a CSV file. It is easy if the column containing the hostname values is the same name as Splunk's hostname. (i.e. if Splunk calls it "host=bob" your header should be "host" without the quotes.)

2) Open Splunk.

3) Navigate to Manager --> Lookups --> Add New --> Lookup Table File

4) Upload your file and name it hostname_lookup.csv (or whatever you want, have the filename end in .csv)

5) Under Manager --> Lookups --> Add New --> Lookup Definition

6) Name: hostname_lookup , lookup-file: hostname_lookup.csv

7) Now define your search query: index=this_index query_terms_here NOT [|inputlookup hostname_lookup | fields host]

😎 Set your time and click Create --> Alert

9) Schedule your alert and have it trigger when your results are great than 0.

Hope this helps.

Reply
Solved! Jump to solution

carmackd
Communicator
‎07-25-2012 10:34 AM

upload the host list as a lookup file (save as .csv) host column header named hostname

run this search

sourcetype=<my_sourcetype_name_here> NOT [|inputlookup <lookup_name_here>.csv | fields hostname]
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Community Content Calendar, September edition

Welcome to another insightful post from our Community Content Calendar! We're thrilled to continue bringing ...

Splunkbase Unveils New App Listing Management Public Preview

Splunkbase Unveils New App Listing Management Public PreviewWe're thrilled to announce the public preview of ...

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Are you leveraging automation to its fullest potential in your threat detection strategy?Our upcoming Security ...