Alerting

delete rows from lookup

sfurkan
Explorer

Hi,

There is an alarm monitoring the 4733(A member was removed from a security-enabled local group
) events. When this alarm is triggered, I want the user to be deleted from the users.cvs lookup.

how can I do it?

Thanks,

 

Labels (2)
0 Karma
1 Solution

scelikok
SplunkTrust
SplunkTrust

Hi @sfurkan,

You can use below sample query. I assume your user.csv has user field.

| inputlookup user.csv 
| search NOT 
    [ 'your search that outputs deleted_user field from 4733 events' 
    | rename deleted_user as user 
    | fields user] 
| outputlookup user.csv

 

If this reply helps you an upvote is appreciated.

View solution in original post

scelikok
SplunkTrust
SplunkTrust

Hi @sfurkan,

You can use below sample query. I assume your user.csv has user field.

| inputlookup user.csv 
| search NOT 
    [ 'your search that outputs deleted_user field from 4733 events' 
    | rename deleted_user as user 
    | fields user] 
| outputlookup user.csv

 

If this reply helps you an upvote is appreciated.

gcusello
Legend

Hi @sfurkan,

I suppose that your alert is something like this:

your_search
| table _time user

if your lookup isn't a kvstore, you could try to modify your alert in this way:

your_search
| table _time user
| outputlookup temp_lookup

then schedule the following two searches to run:

| inputlookup users.csv 
| search NOT [ | inputlookup temp_lookup | field user ]
| table <lookup_fields>
| outputlookup users.csv

the after 5-10 minutes:

| makeresults
| search ppp=XXX
| outputlookup temp_lookup

 If instead your lookup is a kvstore follow this url https://dev.splunk.com/enterprise/docs/developapps/manageknowledge/kvstore/aboutkvstorecollections/

Ciao.

Giuseppe

scelikok
SplunkTrust
SplunkTrust

Hi @sfurkan,

You can use below sample;

| inputlookup users.csv where user!=deleted_user
| outputlookup users.csv
If this reply helps you an upvote is appreciated.
0 Karma
Get Updates on the Splunk Community!

Improve Your Security Posture

Watch NowImprove Your Security PostureCustomers are at the center of everything we do at Splunk and security ...

Maximize the Value from Microsoft Defender with Splunk

 Watch NowJoin Splunk and Sens Consulting for this Security Edition Tech TalkWho should attend:  Security ...

This Week's Community Digest - Splunk Community Happenings [6.27.22]

Get the latest news and updates from the Splunk Community here! News From Splunk Answers ✍️ Splunk Answers is ...