Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Adding lookup files for tuning purposes

Robbie1194
Communicator
‎06-22-2017 02:49 AM

So I'm new to Splunk (and ES) and have been asked to tune out some noise as we are getting a lot of false positives from one of the rules: Access - Excessive Failed Logins - Rule.

Could anyone help me with how I add the lookup file in my search so that it reads user and dest values stored inside?

| from datamodel:"Authentication"."Failed_Authentication" | stats values(tag) as "tag",dc(user) as "user_count",dc(dest) as "dest_count",count by "app","src" | where 'count'>=6

My aim is to build a list with destinations and users that are not included within the rule.

Any help (and explanation) would be much appreciated.

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

DalJeanis
Legend
‎06-22-2017 08:23 AM

The big picture is this: any record that gets to the end of the search generates an alert, so any workable method to eliminate the records that you do NOT want an alert from is a valid method.

Look at the answer on this one for one example of how to input, use and update a list of field combinations to suppress the alert on...

https://answers.splunk.com/answers/548711/how-to-throttle-an-alert-using-more-than-one-field.html#an...

For a more general case, here's one way to suppress records based on a lookup or csv...

https://answers.splunk.com/answers/305030/how-to-use-a-lookup-file-to-suppress-alerts.html

This one includes Somesoni2's code to look for an alert that was fired earlier...

https://answers.splunk.com/answers/403320/how-do-i-suppress-alerts-until-the-next-day-at-12.html

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

DalJeanis
Legend
‎06-22-2017 08:23 AM

The big picture is this: any record that gets to the end of the search generates an alert, so any workable method to eliminate the records that you do NOT want an alert from is a valid method.

Look at the answer on this one for one example of how to input, use and update a list of field combinations to suppress the alert on...

https://answers.splunk.com/answers/548711/how-to-throttle-an-alert-using-more-than-one-field.html#an...

For a more general case, here's one way to suppress records based on a lookup or csv...

https://answers.splunk.com/answers/305030/how-to-use-a-lookup-file-to-suppress-alerts.html

This one includes Somesoni2's code to look for an alert that was fired earlier...

https://answers.splunk.com/answers/403320/how-do-i-suppress-alerts-until-the-next-day-at-12.html

0 Karma
Reply
Solved! Jump to solution

Robbie1194
Communicator
‎06-23-2017 01:08 AM

Thanks a lot, the URL's were very helpful.

Reply
Solved! Jump to solution

DalJeanis
Legend
‎06-23-2017 01:16 PM

moved the comment under the answer it related to. You're welcome!

0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...