Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How do I create an overall alert while ignoring events for specific field combinations?

jmaple
Communicator
‎12-27-2016 09:02 AM

I'm trying to alert on a specific event code but there are certain combinations where these event codes are acceptable and I want to exclude them from my results but for some reason, I'm having trouble getting it to ignore accepted events without excluding them outright.

For instance, our service desk is allowed to make specific edits within our AD infrastructure but we use Quest ARS for everything else and we want to be notified when a user makes an AD modification to a user outside of this event combination so here is my base search:

index=wineventlog sourcetype=*Security EventCode=5136 Class=user LDAP_Display_Name!=userCertificate

From here I want to exclude the title of our "Account_Name" field (which is brought in using a lookup) with the specific "LDAP_Display_Name" field value of "altSecurityIdentity". I thought this would do it:

[base search] | where (LDAP_Display_Name!=altSecurityIdentity AND userTitle!="*help desk*")

But that doesn't take both arguments in account. It does one then the other. How do I get it to accept both arguments as one?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

jmaple
Communicator
‎12-27-2016 09:42 AM

So rather than do the "where" statement, I just added the "NOT ..." statement in the base search and it seems to do it.

index=wineventlog sourcetype=*Security EventCode=5136 Class=user LDAP_Display_Name!=userCertificate NOT (LDAP_Display_Name=altSecurityIdentities AND (userTitle="*help desk*" OR userTitle="*service desk*"))

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

jmaple
Communicator
‎12-27-2016 09:42 AM

So rather than do the "where" statement, I just added the "NOT ..." statement in the base search and it seems to do it.

index=wineventlog sourcetype=*Security EventCode=5136 Class=user LDAP_Display_Name!=userCertificate NOT (LDAP_Display_Name=altSecurityIdentities AND (userTitle="*help desk*" OR userTitle="*service desk*"))
0 Karma
Reply
Solved! Jump to solution

somesoni2
Revered Legend
‎12-27-2016 09:27 AM

Try this

[base search] | where NOT (LDAP_Display_Name="altSecurityIdentity" AND userTitle="*help desk*")
Reply
Solved! Jump to solution

jmaple
Communicator
‎12-27-2016 09:32 AM

Looks like there is no change. There a couple of different titles I need to filter so I tried one of them and it still came up as a result.

0 Karma
Reply
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...