Reporting

How to create a temporary whitelist based on a scheduled search?

Engager

Is there a way to create a whitelist, in this case based on usernames, that is only temporary?
For example a particular username appears in a scheduled search, and you want it to not be included the next time the search runs but after that you want it to be able to appear again.

The only way I am currently thinking of doing this is via input & output lookups, is this possible? for example:

 <search> | search user NOT [|inputlookup temp_user_whitelist.csv] 
    |outputlookup temp_user_whitelist.csv

SplunkTrust
SplunkTrust

Whitelist is a technical term, and it's not exactly what you are doing.

That being said, what you are doing can work. You need to have the right syntax to make the search or where clause will work, and you might want to decide to keep some other information around for debugging and research purposes.

Here's a slightly revised version that will store the run time of the output.

  <your search> 
    | addinfo
    | search NOT [|inputlookup temp_user_whitelist.csv | table user] 
    | rename info_search_time as lastruntime 
    | table user, lastruntime (...whatever other fields you might find useful...) 
    | outputlookup temp_user_whitelist.csv
0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!