Hi,
I am trying to monitor anonymous logins and login failures on my servers. My search runs fine, but it pulls out all the users that are connecting. I would like to exclude a list of users that are validated users of my organization and report rest of the login and login failure attempts in my report. Please help
What is your initial search that gets you this far?
"I am trying to monitor anonymous logins and login failures on my servers. My search runs fine"....
Please find a similar issue .. ie Excluding the intersection
http://answers.splunk.com/answers/260368/how-to-ignore-ip-address-from-events-that-exist-in.html#ans...
I would use a subsearch here and the lookup table. You could also just list the users out as well.
Assuming you base search is for example, "index=www login", and you loaded your list of users into lookup "listofyourusers"
index=www login | search NOT [ | inputlookup listofyourusers]
You probably should use a lookup
; you can either have the data in a file (which could be dynamically generated from another search) and then validate against that list:
http://docs.splunk.com/Documentation/Splunk/6.2.4/Knowledge/Addfieldsfromexternaldatasources
You can also build an external lookup against an LDAP query (there probably even an app for this for AD).
i do have a lookup file with the user list in it, but how do i exclude these users from showing up in the report. i usually use lookup to pop up blacklisted ip's or such.
Assuming you have a field username
(adjust if not) and not a huge number of them, like this:
<your other search stuff> NOT [| inputcsv GoodUserFile | fields username ]
Did this work?