Splunk Search

How do you use lookups to throttle alerts?

jj39501
New Member

Currently, I'm trying to leverage a lookup table to accomplish the following:

I currently have an alerting setup for authentications that occur from outside of the country. However, I would like to suppress alerting for specific users for an X amount of time. I have tried using the throttling feature, however it is suppressing ALL alerts for the specified time.

For example, an alert for John Smith logging from Australia. Once I validate that this is, in fact, John Smith, I want to write this entry to a lookup table. The next time the search is run, it should lookup the username fields in my lookup table and suppress any future alerts from him, for lets, 1 week to avoid alarm fatigue. Below is what I have so far. Not sure where to go from here or if i'm even headed the right direction with this.

index="authenticatior" action=success | search "location.country"!="" AND "location.country"!="US" | table _time device,username,user_first,user_last,user_managedBy,factor,integration,result,location.city,location.country 
|eval _time=strftime(_time, "%m/%d/%y %I:%M:%S:%p") 
| rename _time as Timestamp location.city as City, location.country as Country user_managedBy as Manager username as "User ID" user_first as First, user_last as Last, factor as Factor integration as Integration result as Result device as Device
| sort Last
| inputlookup append=t mylookup.csv
| outputlookup mylookup.csv
Tags (2)
0 Karma

bhavikbhalodia
Path Finder

Hi, you can use below query to get a list of the users who are outside of the country which does not contain throttled user.

*index="authenticatior" action=success
| search "location.country"!="" AND "location.country"!="US"
| table _time device,username,user_first,user_last,user_managedBy,factor,integration,result,location.city,location.country
| lookup mylookup.csv
| where isnull(last_date)
| fields - last_date
| eval _time=strftime(_time, "%m/%d/%y %I:%M:%S:%p")
| rename _time as Timestamp location.city as City, location.country as Country user_managedBy as Manager username as "User ID" user_first as First, user_last as Last, factor as Factor integration as Integration result as Result device as Device
| sort Last *

And use below query to add a user in the lookup.

| inputlookup mylookup.csv
| append
[| makeresults 1
| eval username="Name of User",numberofdays=numberofdays , last_date=_time+86400*(numberofdays)
| fields user,last_date]
| outputlookup mylookup.csv

You have to schedule below query to remove throttled user from lookup when the time will expire so that schedule below query which runs at 12:00 AM(for example) every day.

| inputlookup mylookup.csv
| where last_date > _time
| outputlookup mylookup.csv

0 Karma

richgalloway
SplunkTrust
SplunkTrust

Converted from an answer into a question.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Get Updates on the Splunk Community!

Observability Newsletter Highlights | March 2023

 March 2023 | Check out the latest and greatestSplunk APM's New Tag Filter ExperienceSplunk APM has updated ...

Security Newsletter Updates | March 2023

 March 2023 | Check out the latest and greatestUnify Your Security Operations with Splunk Mission Control The ...

Platform Newsletter Highlights | March 2023

 March 2023 | Check out the latest and greatestIntroducing Splunk Edge Processor, simplified data ...