Splunk Search

How can I search for the alerts usecase?

AL3Z
Builder


Hi, Need a search for the below usecase 

Search for alert_type=ufa and alert_name="  suspicious  Downloads"
Please include all  domains present in the domains.csv  from  this search 

We are looking for users that trigger the one above AND this one:

Search for alert_type=ufa and alert_name=" suspicious  uploads"
Please exclude all domains present in the domains.csv  from this search
Thanks...

Thanks...

Labels (4)
0 Karma

scelikok
SplunkTrust
SplunkTrust

Hi @AL3Z,

You didn't provide field names in the events and lookup file. I assume domains.csv is a lookup file in Splunk. Please try below sample; I assumed your event and csv file has a field named "domain"

alert_type=ufa and alert_name="suspicious uploads" NOT [inputlookup domains.csv | fields domain | format]

 

If this reply helps you an upvote and "Accept as Solution" is appreciated.
0 Karma
Get Updates on the Splunk Community!

Customer Experience | Splunk 2024: New Onboarding Resources

In 2023, we were routinely reminded that the digital world is ever-evolving and susceptible to new ...

Celebrate CX Day with Splunk: Take our interactive quiz, join our LinkedIn Live ...

Today and every day, Splunk celebrates the importance of customer experience throughout our product, ...

How to Get Started with Splunk Data Management Pipeline Builders (Edge Processor & ...

If you want to gain full control over your growing data volumes, check out Splunk’s Data Management pipeline ...