Solved: Lookup Search

sumit29 · ‎05-25-2015

Dear Experts,

I need to write the custom search where user x can login from 5 sources , I am thinking to use lookup( 5 allowed Source IP) , Suppose if user login not from this lookup table(alloweduser) where field name IP. I should get a alert .

woodcock · ‎05-25-2015

I would use an eventtype and then everyone can use the same one (referentially) and you have only 1 place to modify it such that the change is instantly effective everywhere; use eventtypes.conf like this:

[USER_X_DISALLOWED LOGINS]
search = user="X" IP!="A" IP!="B" IP!="C" IP!="D" IP!="E"

[DISALLOWED LOGINS]
search = IP!="F" IP!="G" IP!="H" IP!="I" IP!="J"

Then you search like this:

eventtype=USER_X_DISALLOWED LOGINS

View solution in original post

woodcock · ‎05-25-2015

I would use an eventtype and then everyone can use the same one (referentially) and you have only 1 place to modify it such that the change is instantly effective everywhere; use eventtypes.conf like this:

[USER_X_DISALLOWED LOGINS]
search = user="X" IP!="A" IP!="B" IP!="C" IP!="D" IP!="E"

[DISALLOWED LOGINS]
search = IP!="F" IP!="G" IP!="H" IP!="I" IP!="J"

Then you search like this:

eventtype=USER_X_DISALLOWED LOGINS

Lookup Search

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Kick the Tires Before You Commit: A Hands-On Tour of the Splunk Observability Cloud ...

Deep insights, no barriers: Splunk Observability Cloud Free Edition

Monitoring AI Agents with Splunk Observability Cloud

Join the Conversation