How to create a temporary whitelist based on a sch...

ralgar · ‎04-10-2017

Is there a way to create a whitelist, in this case based on usernames, that is only temporary?
For example a particular username appears in a scheduled search, and you want it to not be included the next time the search runs but after that you want it to be able to appear again.

The only way I am currently thinking of doing this is via input & output lookups, is this possible? for example:

 <search> | search user NOT [|inputlookup temp_user_whitelist.csv] 
    |outputlookup temp_user_whitelist.csv

DalJeanis · ‎04-11-2017

Whitelist is a technical term, and it's not exactly what you are doing.

That being said, what you are doing can work. You need to have the right syntax to make the search or where clause will work, and you might want to decide to keep some other information around for debugging and research purposes.

Here's a slightly revised version that will store the run time of the output.

  <your search> 
    | addinfo
    | search NOT [|inputlookup temp_user_whitelist.csv | table user] 
    | rename info_search_time as lastruntime 
    | table user, lastruntime (...whatever other fields you might find useful...) 
    | outputlookup temp_user_whitelist.csv

How to create a temporary whitelist based on a scheduled search?

Welcome to the Splunk Community!

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Adoption of RUM and APM at Splunk