- Splunk Answers
- :
- Using Splunk
- :
- Reporting
- :
- Re: How to exclude a list of validated users from ...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How to exclude a list of validated users from a report on failed login users?
Hi,
I am trying to monitor anonymous logins and login failures on my servers. My search runs fine, but it pulls out all the users that are connecting. I would like to exclude a list of users that are validated users of my organization and report rest of the login and login failure attempts in my report. Please help
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
What is your initial search that gets you this far?
"I am trying to monitor anonymous logins and login failures on my servers. My search runs fine"....
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Please find a similar issue .. ie Excluding the intersection
http://answers.splunk.com/answers/260368/how-to-ignore-ip-address-from-events-that-exist-in.html#ans...
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I would use a subsearch here and the lookup table. You could also just list the users out as well.
Assuming you base search is for example, "index=www login", and you loaded your list of users into lookup "listofyourusers"
index=www login | search NOT [ | inputlookup listofyourusers]
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You probably should use a lookup; you can either have the data in a file (which could be dynamically generated from another search) and then validate against that list:
http://docs.splunk.com/Documentation/Splunk/6.2.4/Knowledge/Addfieldsfromexternaldatasources
You can also build an external lookup against an LDAP query (there probably even an app for this for AD).
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
i do have a lookup file with the user list in it, but how do i exclude these users from showing up in the report. i usually use lookup to pop up blacklisted ip's or such.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Assuming you have a field username (adjust if not) and not a huge number of them, like this:
<your other search stuff> NOT [| inputcsv GoodUserFile | fields username ]
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Did this work?
Introducing the Splunk Community Dashboard Challenge!
Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...
Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...
