Splunk Search

Alert when a field value changes

arjun_ananth
Explorer

Working on a query to generate an alert when a field value changes. The requirement is to detect the change in IP for a FQDN.

Currently I'm trying to use a lookup file which has the current value of the IP for two FQDN per host. 

Columns - Host|FQDN|Current_IP

Looks something like

Host1 fqdn1 IP1

Host2 fqdn1 IP1

Host1 fqdn2 IP2

Host2 fqdn2 IP2

I followed an approach suggested in another thread to use inputlookup

My current query looks like - stats latest(IP) as Latest_IP | inputlookup append=true myfile.csv | stats first(Latest_IP) as Latest_IP, first(Current_IP) as Previous_IP | where Latest_IP!=Previous_IP

 

This gives me a result with the latest and previous IP whenever the IP changes, but looking to add more details to the result which also lists the FQDN and the time when the IP changed.

Labels (2)
0 Karma
1 Solution

gcusello
SplunkTrust
SplunkTrust

Hi @arjun_ananth ,

I don't like lookup method, I'd like to use a summary index:

schedule a search every night (if the change frequency that you want to monitor is one day) e.g.:

index=your_index
| dedup ip
| table _time host ip
| collect index=your_summary

and then run a search on the summary index:

index=your_summary
| stats dc(ip) AS ip_count By host
| where ip_count>1

in this way you haven't the problem of manage the timestamp and lookup upgrade, and, at the same time, you have a quick search.

Ciao.

Giuseppe

View solution in original post

gcusello
SplunkTrust
SplunkTrust

Hi @arjun_ananth ,

I don't like lookup method, I'd like to use a summary index:

schedule a search every night (if the change frequency that you want to monitor is one day) e.g.:

index=your_index
| dedup ip
| table _time host ip
| collect index=your_summary

and then run a search on the summary index:

index=your_summary
| stats dc(ip) AS ip_count By host
| where ip_count>1

in this way you haven't the problem of manage the timestamp and lookup upgrade, and, at the same time, you have a quick search.

Ciao.

Giuseppe

arjun_ananth
Explorer

Thanks @gcusello . I will try this and let you know. 

You are right about the lookup. Whenever the IP values changes, the lookup file also needs to be updated. I managed to get the output using the lookup earlier, but then I tried to update the lookup file in the same query which messed up the column names, and the query won't work anymore since the values changed. I will try the summary method and let you know. Thanks again

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @arjun_ananth ,

let me know if we can help you more, or, please, accept one answer for the other people of Community.

Ciao and happy splunking

Giuseppe

P.S.: Karma Points are appreciated 😉

arjun_ananth
Explorer

@gcusello I ended up taking an entirely different approach. I ditched inputlookup/lookup and used a bit of eval, where and eventstats to achieve it. For your suggestion to use summary index, I do not have privileges to create a new index, so couldn't try that but it would have worked i guess. Thank you though,  I can definitely keep this approach in mind whenever I run into problems again. 

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...