How to outputlookup historic IP activity / userID ...

Log_wrangler · ‎07-10-2018

I created this PART 2 as the previous thread is getting long.

Recap: I am trying to monitor login behavior to an online application using WAF logs. The userID may be associated with multiple sourceIP(s).

I use the following query to create a reference point, historic_login_list.csv. (I run this for last 90 days but not include current day)

index=waf sourcetype=waf_logs " key words" | stats count  by  userID  sourceIP GeoLoc | dedup userID sourceIP| outputlookup append=f historic_login_list.csv

I use the following query to compare results to the reference list.

 index=waf sourcetype=waf_logs " key words" | fillnull value=NULL userID | stats count  by  userID  sourceIP GeoLoc  _time| dedup]userID sourceIP| search NOT [|inputlookup historic_login_list.csv |fields userID sourceIP GeoLoc]

I use a fill null in the comparative query as it picks errors, and I added _time for investigative purposes.
I have scrubbed the historic list csv to discard data that is unusual or not a normal reference point.

Does anyone know of a better way to do this??? and get the results that I am after...

I appreciate any suggestions to improve or make more efficient.

Thank you for your review.

How to outputlookup historic IP activity / userID and create an alert that will occur if the IP address is not on the historic IP activity list? (PART 2)

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life

Introducing Splunk Enterprise 9.2