Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to outputlookup historic IP activity / userID and create an alert that will occur if the IP address is not on the historic IP activity list? (PART 2)

Log_wrangler
Builder
‎07-10-2018 12:53 PM

I created this PART 2 as the previous thread is getting long.

Recap: I am trying to monitor login behavior to an online application using WAF logs. The userID may be associated with multiple sourceIP(s).

I use the following query to create a reference point, historic_login_list.csv. (I run this for last 90 days but not include current day)

index=waf sourcetype=waf_logs " key words" | stats count  by  userID  sourceIP GeoLoc | dedup userID sourceIP| outputlookup append=f historic_login_list.csv

I use the following query to compare results to the reference list.

 index=waf sourcetype=waf_logs " key words" | fillnull value=NULL userID | stats count  by  userID  sourceIP GeoLoc  _time| dedup]userID sourceIP| search NOT [|inputlookup historic_login_list.csv |fields userID sourceIP GeoLoc]

I use a fill null in the comparative query as it picks errors, and I added _time for investigative purposes.
I have scrubbed the historic list csv to discard data that is unusual or not a normal reference point.

Does anyone know of a better way to do this??? and get the results that I am after...

I appreciate any suggestions to improve or make more efficient.

Thank you for your review.

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Community Content Calendar, September edition

Welcome to another insightful post from our Community Content Calendar! We're thrilled to continue bringing ...

Splunkbase Unveils New App Listing Management Public Preview

Splunkbase Unveils New App Listing Management Public PreviewWe're thrilled to announce the public preview of ...

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Are you leveraging automation to its fullest potential in your threat detection strategy?Our upcoming Security ...