Splunk Search

How do you use lookups to throttle alerts?

jj39501
New Member

Currently, I'm trying to leverage a lookup table to accomplish the following:

I currently have an alerting setup for authentications that occur from outside of the country. However, I would like to suppress alerting for specific users for an X amount of time. I have tried using the throttling feature, however it is suppressing ALL alerts for the specified time.

For example, an alert for John Smith logging from Australia. Once I validate that this is, in fact, John Smith, I want to write this entry to a lookup table. The next time the search is run, it should lookup the username fields in my lookup table and suppress any future alerts from him, for lets, 1 week to avoid alarm fatigue. Below is what I have so far. Not sure where to go from here or if i'm even headed the right direction with this.

index="authenticatior" action=success | search "location.country"!="" AND "location.country"!="US" | table _time device,username,user_first,user_last,user_managedBy,factor,integration,result,location.city,location.country 
|eval _time=strftime(_time, "%m/%d/%y %I:%M:%S:%p") 
| rename _time as Timestamp location.city as City, location.country as Country user_managedBy as Manager username as "User ID" user_first as First, user_last as Last, factor as Factor integration as Integration result as Result device as Device
| sort Last
| inputlookup append=t mylookup.csv
| outputlookup mylookup.csv
Tags (2)
0 Karma

bhavikbhalodia
Path Finder

Hi, you can use below query to get a list of the users who are outside of the country which does not contain throttled user.

*index="authenticatior" action=success
| search "location.country"!="" AND "location.country"!="US"
| table _time device,username,user_first,user_last,user_managedBy,factor,integration,result,location.city,location.country
| lookup mylookup.csv
| where isnull(last_date)
| fields - last_date
| eval _time=strftime(_time, "%m/%d/%y %I:%M:%S:%p")
| rename _time as Timestamp location.city as City, location.country as Country user_managedBy as Manager username as "User ID" user_first as First, user_last as Last, factor as Factor integration as Integration result as Result device as Device
| sort Last *

And use below query to add a user in the lookup.

| inputlookup mylookup.csv
| append
[| makeresults 1
| eval username="Name of User",numberofdays=numberofdays , last_date=_time+86400*(numberofdays)
| fields user,last_date]
| outputlookup mylookup.csv

You have to schedule below query to remove throttled user from lookup when the time will expire so that schedule below query which runs at 12:00 AM(for example) every day.

| inputlookup mylookup.csv
| where last_date > _time
| outputlookup mylookup.csv

0 Karma

richgalloway
SplunkTrust
SplunkTrust

Converted from an answer into a question.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Get Updates on the Splunk Community!

New Case Study Shows the Value of Partnering with Splunk Academic Alliance

The University of Nevada, Las Vegas (UNLV) is another premier research institution helping to shape the next ...

How to Monitor Google Kubernetes Engine (GKE)

We’ve looked at how to integrate Kubernetes environments with Splunk Observability Cloud, but what about ...

Index This | How can you make 45 using only 4?

October 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...