- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How can I compare values from a lookup and alert w...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
I have a lookup tables with user names (ftp_users.csv).
Every day I'm getting one line from a particular system with users with FTP permissions, I want to compare between the lookup file (which contains the allowed FTP users) with the line I'm getting from the system and to alert when there is no match.
The line form the system looks similar to the below row:
users=user1, user2, user3, user4, user5I'll appreciate any help with that,
Thank you.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
index=_internal | head 1 | fields _raw _time | eval _raw="users=user1, user2, user3, user4, user5"
| rex "=(?<users>.*)"
| eval users=trim(split(users,","))
| mvexpand usersand
lookup
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
That's great @to4kawa , now I have two fields ("users" field from the system's output, and "user" from my ftp_allowed lookup).
I ran the below stats and got two lists of users, now I just need to compare and alert when there is an extra user under one of the lists.
| stats values(users) as ftp_users, values(user) as allowed_user
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Trying my luck another time..
I have created the below search:
<my search here>
| fields users
| eval users=trim(split(users,","))
| mvexpand users
| lookup as400_ftp_users.csv user as users OUTPUT user
| rename users as FTP_USERS, user as ALLOWED_USERS
| table FTP_USERS ALLOWED_USERS
Now I have two lists of users, ordered by user name:
| MO***FR | MO***FR |
| NA***ZA | NA***ZA |
| O***AS | O***AS |
| R***NI | R***NI |
| R***TL | |
| R***MKA | R***MKA |
| S**IM | S**IM |
| S***ARA | S***ARA |
I want to print out the extra user on the left side (R***TL) because this user is not in the "allowed users" list.
Is that possible?
Thank you!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
| where isnull(ALLOWED_USERS)
or
| search ALLOWED_USERS!=*
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Perfect.
Thank you @to4kawa
Enterprise Security Content Update (ESCU) | New Releases
Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?
Index This | What are the 12 Days of Splunk-mas?
