Splunk Search

How to compare logins (users) and IP addresses from server log files to a standard list in a lookup and alert if they do not match?

New Member

I have a couple logins (user) and the ip addresses (c_ip) in a lookup table. As a true test to make a search to compare these values with the values in the log file, and if they do not match, I need to trigger an alert.

0 Karma
1 Solution

SplunkTrust
SplunkTrust

If you want to find the IP address which are not part of lookup, try

"Your search on log files and list of fields" NOT [|inputlookup lookup_name |dedup user,c_ip|fields user,c_ip]

Make sure that you have user and c_ip as fields in the log file or rename the corresponding fields to match with lookup field names

Test this search and if its working, then add |stats count to the end of the search and create alert if count > 0

View solution in original post

0 Karma

SplunkTrust
SplunkTrust

If you want to find the IP address which are not part of lookup, try

"Your search on log files and list of fields" NOT [|inputlookup lookup_name |dedup user,c_ip|fields user,c_ip]

Make sure that you have user and c_ip as fields in the log file or rename the corresponding fields to match with lookup field names

Test this search and if its working, then add |stats count to the end of the search and create alert if count > 0

View solution in original post

0 Karma

New Member

Thank you!

0 Karma