How to create a temporary whitelist based on a scheduled search?


Is there a way to create a whitelist, in this case based on usernames, that is only temporary?
For example a particular username appears in a scheduled search, and you want it to not be included the next time the search runs but after that you want it to be able to appear again.

The only way I am currently thinking of doing this is via input & output lookups, is this possible? for example:

 <search> | search user NOT [|inputlookup temp_user_whitelist.csv] 
    |outputlookup temp_user_whitelist.csv


Whitelist is a technical term, and it's not exactly what you are doing.

That being said, what you are doing can work. You need to have the right syntax to make the search or where clause will work, and you might want to decide to keep some other information around for debugging and research purposes.

Here's a slightly revised version that will store the run time of the output.

  <your search> 
    | addinfo
    | search NOT [|inputlookup temp_user_whitelist.csv | table user] 
    | rename info_search_time as lastruntime 
    | table user, lastruntime (...whatever other fields you might find useful...) 
    | outputlookup temp_user_whitelist.csv
0 Karma
Get Updates on the Splunk Community!

.conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

 (view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...