Hi, Need a search for the below usecase
Search for alert_type=ufa and alert_name=" suspicious Downloads"
Please include all domains present in the domains.csv from this search
We are looking for users that trigger the one above AND this one:
Search for alert_type=ufa and alert_name=" suspicious uploads"
Please exclude all domains present in the domains.csv from this search
Thanks...
Thanks...
Hi @AL3Z,
You didn't provide field names in the events and lookup file. I assume domains.csv is a lookup file in Splunk. Please try below sample; I assumed your event and csv file has a field named "domain"
alert_type=ufa and alert_name="suspicious uploads" NOT [inputlookup domains.csv | fields domain | format]