Alerting

delete rows from lookup

sfurkan
Explorer

Hi,

There is an alarm monitoring the 4733(A member was removed from a security-enabled local group
) events. When this alarm is triggered, I want the user to be deleted from the users.cvs lookup.

how can I do it?

Thanks,

 

Labels (2)
0 Karma
1 Solution

scelikok
Champion

Hi @sfurkan,

You can use below sample query. I assume your user.csv has user field.

| inputlookup user.csv 
| search NOT 
    [ 'your search that outputs deleted_user field from 4733 events' 
    | rename deleted_user as user 
    | fields user] 
| outputlookup user.csv

 

If this reply helps you an upvote is appreciated.

View solution in original post

scelikok
Champion

Hi @sfurkan,

You can use below sample query. I assume your user.csv has user field.

| inputlookup user.csv 
| search NOT 
    [ 'your search that outputs deleted_user field from 4733 events' 
    | rename deleted_user as user 
    | fields user] 
| outputlookup user.csv

 

If this reply helps you an upvote is appreciated.

View solution in original post

gcusello
SplunkTrust
SplunkTrust

Hi @sfurkan,

I suppose that your alert is something like this:

your_search
| table _time user

if your lookup isn't a kvstore, you could try to modify your alert in this way:

your_search
| table _time user
| outputlookup temp_lookup

then schedule the following two searches to run:

| inputlookup users.csv 
| search NOT [ | inputlookup temp_lookup | field user ]
| table <lookup_fields>
| outputlookup users.csv

the after 5-10 minutes:

| makeresults
| search ppp=XXX
| outputlookup temp_lookup

 If instead your lookup is a kvstore follow this url https://dev.splunk.com/enterprise/docs/developapps/manageknowledge/kvstore/aboutkvstorecollections/

Ciao.

Giuseppe

scelikok
Champion

Hi @sfurkan,

You can use below sample;

| inputlookup users.csv where user!=deleted_user
| outputlookup users.csv
If this reply helps you an upvote is appreciated.
0 Karma

Tune In & Win!

Don't miss out on your
chance to take home free
prizes by helping our players
save the Splunk Cloudom!

Dungeons & Data
Monsters: Splunk O11y
Day Editions Games
stream live:
5/4 at 6:30pm PST
5/5 at 7:00pm PST
on