Solved: Re: How to compare logins (users) and IP addresses...

vesug · ‎02-08-2016

I have a couple logins (user) and the ip addresses (c_ip) in a lookup table. As a true test to make a search to compare these values with the values in the log file, and if they do not match, I need to trigger an alert.

renjith_nair · ‎02-09-2016

If you want to find the IP address which are not part of lookup, try

"Your search on log files and list of fields" NOT [|inputlookup lookup_name |dedup user,c_ip|fields user,c_ip]

Make sure that you have user and c_ip as fields in the log file or rename the corresponding fields to match with lookup field names

Test this search and if its working, then add |stats count to the end of the search and create alert if count > 0

---
What goes around comes around. If it helps, hit it with Karma 🙂

View solution in original post

renjith_nair · ‎02-09-2016

If you want to find the IP address which are not part of lookup, try

"Your search on log files and list of fields" NOT [|inputlookup lookup_name |dedup user,c_ip|fields user,c_ip]

Make sure that you have user and c_ip as fields in the log file or rename the corresponding fields to match with lookup field names

Test this search and if its working, then add |stats count to the end of the search and create alert if count > 0

---
What goes around comes around. If it helps, hit it with Karma 🙂

vesug · ‎02-09-2016

Thank you!

How to compare logins (users) and IP addresses from server log files to a standard list in a lookup and alert if they do not match?

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases