Splunk Search

Lookup Search

Path Finder

Dear Experts,

I need to write the custom search where user x can login from 5 sources , I am thinking to use lookup( 5 allowed Source IP) , Suppose if user login not from this lookup table(alloweduser) where field name IP. I should get a alert .

Tags (1)
0 Karma
1 Solution

Esteemed Legend

I would use an eventtype and then everyone can use the same one (referentially) and you have only 1 place to modify it such that the change is instantly effective everywhere; use eventtypes.conf like this:

[USER_X_DISALLOWED LOGINS]
search = user="X" IP!="A" IP!="B" IP!="C" IP!="D" IP!="E"

[DISALLOWED LOGINS]
search = IP!="F" IP!="G" IP!="H" IP!="I" IP!="J"

Then you search like this:

eventtype=USER_X_DISALLOWED LOGINS

View solution in original post

0 Karma

Esteemed Legend

I would use an eventtype and then everyone can use the same one (referentially) and you have only 1 place to modify it such that the change is instantly effective everywhere; use eventtypes.conf like this:

[USER_X_DISALLOWED LOGINS]
search = user="X" IP!="A" IP!="B" IP!="C" IP!="D" IP!="E"

[DISALLOWED LOGINS]
search = IP!="F" IP!="G" IP!="H" IP!="I" IP!="J"

Then you search like this:

eventtype=USER_X_DISALLOWED LOGINS

View solution in original post

0 Karma