Splunk Search
Highlighted

How to compare logins (users) and IP addresses from server log files to a standard list in a lookup and alert if they do not match?

New Member

I have a couple logins (user) and the ip addresses (c_ip) in a lookup table. As a true test to make a search to compare these values with the values in the log file, and if they do not match, I need to trigger an alert.

0 Karma
Highlighted

Re: How to compare logins (users) and IP addresses from server log files to a standard list in a lookup and alert if they do not match?

SplunkTrust
SplunkTrust

If you want to find the IP address which are not part of lookup, try

"Your search on log files and list of fields" NOT [|inputlookup lookup_name |dedup user,c_ip|fields user,c_ip]

Make sure that you have user and c_ip as fields in the log file or rename the corresponding fields to match with lookup field names

Test this search and if its working, then add |stats count to the end of the search and create alert if count > 0

View solution in original post

0 Karma
Highlighted

Re: How to compare logins (users) and IP addresses from server log files to a standard list in a lookup and alert if they do not match?

New Member

Thank you!

0 Karma