Reporting
Highlighted

How to exclude a list of validated users from a report on failed login users?

Path Finder

Hi,

I am trying to monitor anonymous logins and login failures on my servers. My search runs fine, but it pulls out all the users that are connecting. I would like to exclude a list of users that are validated users of my organization and report rest of the login and login failure attempts in my report. Please help

Tags (4)
0 Karma
Highlighted

Re: How to exclude a list of validated users from a report on failed login users?

Esteemed Legend

You probably should use a lookup; you can either have the data in a file (which could be dynamically generated from another search) and then validate against that list:

http://docs.splunk.com/Documentation/Splunk/6.2.4/Knowledge/Addfieldsfromexternaldatasources

You can also build an external lookup against an LDAP query (there probably even an app for this for AD).

0 Karma
Highlighted

Re: How to exclude a list of validated users from a report on failed login users?

Path Finder

i do have a lookup file with the user list in it, but how do i exclude these users from showing up in the report. i usually use lookup to pop up blacklisted ip's or such.

0 Karma
Highlighted

Re: How to exclude a list of validated users from a report on failed login users?

Esteemed Legend

Assuming you have a field username (adjust if not) and not a huge number of them, like this:

<your other search stuff> NOT [| inputcsv GoodUserFile | fields username ]
0 Karma
Highlighted

Re: How to exclude a list of validated users from a report on failed login users?

Esteemed Legend

Did this work?

0 Karma
Highlighted

Re: How to exclude a list of validated users from a report on failed login users?

Path Finder

I would use a subsearch here and the lookup table. You could also just list the users out as well.

Assuming you base search is for example, "index=www login", and you loaded your list of users into lookup "listofyourusers"

index=www login | search NOT [ | inputlookup listofyourusers]

0 Karma
Highlighted

Re: How to exclude a list of validated users from a report on failed login users?

Super Champion
0 Karma
Highlighted

Re: How to exclude a list of validated users from a report on failed login users?

New Member

What is your initial search that gets you this far?
"I am trying to monitor anonymous logins and login failures on my servers. My search runs fine"....

0 Karma