Splunk Search

How do you use lookups to throttle alerts?

New Member

Currently, I'm trying to leverage a lookup table to accomplish the following:

I currently have an alerting setup for authentications that occur from outside of the country. However, I would like to suppress alerting for specific users for an X amount of time. I have tried using the throttling feature, however it is suppressing ALL alerts for the specified time.

For example, an alert for John Smith logging from Australia. Once I validate that this is, in fact, John Smith, I want to write this entry to a lookup table. The next time the search is run, it should lookup the username fields in my lookup table and suppress any future alerts from him, for lets, 1 week to avoid alarm fatigue. Below is what I have so far. Not sure where to go from here or if i'm even headed the right direction with this.

index="authenticatior" action=success | search "location.country"!="" AND "location.country"!="US" | table _time device,username,user_first,user_last,user_managedBy,factor,integration,result,location.city,location.country 
|eval _time=strftime(_time, "%m/%d/%y %I:%M:%S:%p") 
| rename _time as Timestamp location.city as City, location.country as Country user_managedBy as Manager username as "User ID" user_first as First, user_last as Last, factor as Factor integration as Integration result as Result device as Device
| sort Last
| inputlookup append=t mylookup.csv
| outputlookup mylookup.csv
Tags (2)
0 Karma

Path Finder

Hi, you can use below query to get a list of the users who are outside of the country which does not contain throttled user.

*index="authenticatior" action=success
| search "location.country"!="" AND "location.country"!="US"
| table time device,username,userfirst,userlast,usermanagedBy,factor,integration,result,location.city,location.country
| lookup mylookup.csv
| where isnull(lastdate)
| fields - last
date
| eval time=strftime(time, "%m/%d/%y %I:%M:%S:%p")
| rename time as Timestamp location.city as City, location.country as Country usermanagedBy as Manager username as "User ID" userfirst as First, userlast as Last, factor as Factor integration as Integration result as Result device as Device
| sort Last *

And use below query to add a user in the lookup.

| inputlookup mylookup.csv
| append
[| makeresults 1
| eval username="Name of User",numberofdays=numberofdays , lastdate=time+86400*(numberofdays)
| fields user,last_date]
| outputlookup mylookup.csv

You have to schedule below query to remove throttled user from lookup when the time will expire so that schedule below query which runs at 12:00 AM(for example) every day.

| inputlookup mylookup.csv
| where last_date > _time
| outputlookup mylookup.csv

0 Karma

SplunkTrust
SplunkTrust

Converted from an answer into a question.

---
If this reply helps you, an upvote would be appreciated.
0 Karma