Alerting
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

unix_TA lastlog.sh match for alert

rafaelruales
Explorer
‎03-08-2021 05:52 AM

Hi,

I am trying to figure out how to create an alert when a specific user appears in the output of the lastlog.sh script.

The output is a nicely formatted table as follows:

UsernameFromLatest
user11.1.1.1fri Mar 4 2:20

 

I am new to splunk, I cannot figure out how I would create a query that would model something like an object where I can loop through everything under the username column and then do a lookup to see if user1 exists.

Any help would be appreciated, the ultimate goal is for the query to show if "user1" appears in the output of:

host=our_server sourcetype=lastlog

any links to documentation for this would be helpful too 

Labels (2)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

rafaelruales
Explorer
‎03-16-2021 07:14 AM

I was able to get this going after some research using a query similar to this and setting the alert to trigger if the results of the search is greater than 0.

host=myHostHere sourcetype=lastlog
| multikv fields USERNAME
| where USERNAME = "user1" OR USERNAME = "user2"
| table host USERNAME

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

rafaelruales
Explorer
‎03-16-2021 07:14 AM

I was able to get this going after some research using a query similar to this and setting the alert to trigger if the results of the search is greater than 0.

host=myHostHere sourcetype=lastlog
| multikv fields USERNAME
| where USERNAME = "user1" OR USERNAME = "user2"
| table host USERNAME

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Observability as Code: From Zero to Dashboard

For the details on what Self-Service Observability and Observability as Code is, we have some awesome content ...

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Shape the Future of Splunk: Join the Product Research Lab!

Join the Splunk Product Research Lab and connect with us in the Slack channel #product-research-lab to get ...