Re: Splunk Alert Exclude Previous Search Result

huaw828 · ‎04-29-2017

Hi,

I have a Splunk search which detect some potential attack Ips.
The alert scheduled every 4 hours and detect the offending IPs for last 24 hour which tried to login but failed for multiple times.
The result could be something like the following example:
ip failed_count
123.456.789.123 100
222.333.544.111 200

The problem is that, let's say the alert triggered at 8:00 am for the above result.
At 12:00 am, the alert triggered again with the following result:

ip failed_count
123.456.789.123 100
222.333.544.111 200
444.555.666.777 220

How could i exclude the previous result which already existing and only put the new one?
What i need for the alert at 12:00 am is only show:
ip failed_count
444.555.666.777 220

I tried to use Throttle to suppress results containing field value of ip, but this only works as per result, which means i would got multiple emails.

Please help, thanks in advance !

dineshraj9 · ‎05-02-2017

You can try loading the results for each day in a lookup using outputlookup command and before output lookup add a check if the current result has no results that match any entry in the lookup.

Splunk Alert Exclude Previous Search Result

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Observability Simplified: Combining User Experience, Application Performance & ...

Event Series May & June: From Network Visibility to Service Intelligence

Global Splunk User Group Events: May + June 2026

Join the Conversation