Hi,
There is an alarm monitoring the 4733(A member was removed from a security-enabled local group
) events. When this alarm is triggered, I want the user to be deleted from the users.cvs lookup.
how can I do it?
Thanks,
Hi @sfurkan,
You can use below sample query. I assume your user.csv has user field.
| inputlookup user.csv
| search NOT
[ 'your search that outputs deleted_user field from 4733 events'
| rename deleted_user as user
| fields user]
| outputlookup user.csv
Hi @sfurkan,
You can use below sample query. I assume your user.csv has user field.
| inputlookup user.csv
| search NOT
[ 'your search that outputs deleted_user field from 4733 events'
| rename deleted_user as user
| fields user]
| outputlookup user.csv
Hi @sfurkan,
I suppose that your alert is something like this:
your_search
| table _time user
if your lookup isn't a kvstore, you could try to modify your alert in this way:
your_search
| table _time user
| outputlookup temp_lookup
then schedule the following two searches to run:
| inputlookup users.csv
| search NOT [ | inputlookup temp_lookup | field user ]
| table <lookup_fields>
| outputlookup users.csv
the after 5-10 minutes:
| makeresults
| search ppp=XXX
| outputlookup temp_lookup
If instead your lookup is a kvstore follow this url https://dev.splunk.com/enterprise/docs/developapps/manageknowledge/kvstore/aboutkvstorecollections/
Ciao.
Giuseppe
Hi @sfurkan,
You can use below sample;
| inputlookup users.csv where user!=deleted_user
| outputlookup users.csv