Alerting

delete rows from lookup

sfurkan
Explorer

Hi,

There is an alarm monitoring the 4733(A member was removed from a security-enabled local group
) events. When this alarm is triggered, I want the user to be deleted from the users.cvs lookup.

how can I do it?

Thanks,

 

Labels (2)
0 Karma
1 Solution

scelikok
SplunkTrust
SplunkTrust

Hi @sfurkan,

You can use below sample query. I assume your user.csv has user field.

| inputlookup user.csv 
| search NOT 
    [ 'your search that outputs deleted_user field from 4733 events' 
    | rename deleted_user as user 
    | fields user] 
| outputlookup user.csv

 

If this reply helps you an upvote and "Accept as Solution" is appreciated.

View solution in original post

scelikok
SplunkTrust
SplunkTrust

Hi @sfurkan,

You can use below sample query. I assume your user.csv has user field.

| inputlookup user.csv 
| search NOT 
    [ 'your search that outputs deleted_user field from 4733 events' 
    | rename deleted_user as user 
    | fields user] 
| outputlookup user.csv

 

If this reply helps you an upvote and "Accept as Solution" is appreciated.

gcusello
SplunkTrust
SplunkTrust

Hi @sfurkan,

I suppose that your alert is something like this:

your_search
| table _time user

if your lookup isn't a kvstore, you could try to modify your alert in this way:

your_search
| table _time user
| outputlookup temp_lookup

then schedule the following two searches to run:

| inputlookup users.csv 
| search NOT [ | inputlookup temp_lookup | field user ]
| table <lookup_fields>
| outputlookup users.csv

the after 5-10 minutes:

| makeresults
| search ppp=XXX
| outputlookup temp_lookup

 If instead your lookup is a kvstore follow this url https://dev.splunk.com/enterprise/docs/developapps/manageknowledge/kvstore/aboutkvstorecollections/

Ciao.

Giuseppe

scelikok
SplunkTrust
SplunkTrust

Hi @sfurkan,

You can use below sample;

| inputlookup users.csv where user!=deleted_user
| outputlookup users.csv
If this reply helps you an upvote and "Accept as Solution" is appreciated.
0 Karma
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

Splunk is officially part of Cisco

Revolutionizing how our customers build resilience across their entire digital footprint.   Splunk ...

Splunk APM & RUM | Planned Maintenance March 26 - March 28, 2024

There will be planned maintenance for Splunk APM and RUM between March 26, 2024 and March 28, 2024 as ...