Other Usage
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to create alert only if the lookup table values matches with the field in the search?

AL3Z
Builder
‎08-09-2023 11:54 PM

Hi ,

I am trying to make a search only if the values of lookup table i.e  groups.csv   fields  username  matches with the   username in the below search it should raise an alert .

index=foo sourcetype=WinEventLog 
| stats  values(username) as username, values(Target_Domain) as Domain by userid


Thanks

Tags (2)
0 Karma
Reply

isoutamo
SplunkTrust
SplunkTrust
‎08-10-2023 12:34 AM

Hi

you could try something like this

index=foo sourcetype=WinEventLog 
| stats values(username) as username, values(Target_Domain) as Domain by userid
| append [ inputlookup groups.csv | fields userid ]
| stats count(userid) as Total values(username) as username, values(Target_Domain) as Domain by userid
| where Total > 1
| fields userid username Domain

 I use here userid not username. You could easily change that to username if there is no several names by userid. If there are several, then you should change this to work with those.

r. Ismo

Reply

AL3Z
Builder
‎08-10-2023 03:54 AM

@gcusello @isoutamo Hi,

My actual search is this its not working as expected.

index=foo sourcetype=XmlWinEventLog (EventCode=4743 AND NOT user_name="Win$")
| lookup groups.csv user_name as user_name OUTPUT user_name
| stats count values(EventCode) as EventCode values(signature) as sig values(user_name) as account_deleted values(Target_Domain) as Domain by _time UserSid

my lookup table ( If any deleted user present in the lookup table user_name  it should trigger an alert )

user_name
win$
linux$
vmaware$
0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎08-10-2023 08:14 AM

Hi @AL3Z,

the lookup command is used to enrich your search with the content of the lookup.

If you want to use the lookup to filter your main search you have to use it in a different way:

index=foo sourcetype=XmlWinEventLog (EventCode=4743 AND NOT user_name="Win$")
[ | inputlookup groups.csv | fields user_name ]
| stats count values(EventCode) as EventCode values(signature) as sig values(user_name) as account_deleted values(Target_Domain) as Domain by _time UserSid

Ciao.

Giuseppe

0 Karma
Reply

AL3Z
Builder
‎08-10-2023 09:52 AM

@gcusello 

if we use append only its raising an alerts why so ? 

| append [ | inputlookup groups.csv | fields user_name ]

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎08-10-2023 09:52 PM

Hi @AL3Z,

this is required to have in your results values that could be not present from your main search (e.g. searching missing hosts), in your case, you need only to filter results from the main search using the lookup (if I correctly understood).

So I hint to use my previous solution.

Ciao.

Giuseppe

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎08-10-2023 12:32 AM

Hi @AL3Z,

did you tried to filter events in the main search?

something like this:

index=foo sourcetype=WinEventLog [ | inputlookup groups.csv | fields username ]
| stats  values(username) as username, values(Target_Domain) as Domain by userid

if you have results you can trigger the alert.

Ciao.

Giuseppe

Reply
Get Updates on the Splunk Community!

🔐 Trust at Every Hop: How mTLS in Splunk Enterprise 10.0 Makes Security Simpler

From Idea to Implementation: Why Splunk Built mTLS into Splunk Enterprise 10.0  mTLS wasn’t just a checkbox ...

Observe and Secure All Apps with Splunk

  Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

Splunk Decoded: Business Transactions vs Business IQ

It’s the morning of Black Friday, and your e-commerce site is handling 10x normal traffic. Orders are flowing, ...