Splunk Search

Lookup Search

sumit29
Path Finder

Dear Experts,

I need to write the custom search where user x can login from 5 sources , I am thinking to use lookup( 5 allowed Source IP) , Suppose if user login not from this lookup table(alloweduser) where field name IP. I should get a alert .

Tags (1)
0 Karma
1 Solution

woodcock
Esteemed Legend

I would use an eventtype and then everyone can use the same one (referentially) and you have only 1 place to modify it such that the change is instantly effective everywhere; use eventtypes.conf like this:

[USER_X_DISALLOWED LOGINS]
search = user="X" IP!="A" IP!="B" IP!="C" IP!="D" IP!="E"

[DISALLOWED LOGINS]
search = IP!="F" IP!="G" IP!="H" IP!="I" IP!="J"

Then you search like this:

eventtype=USER_X_DISALLOWED LOGINS

View solution in original post

0 Karma

woodcock
Esteemed Legend

I would use an eventtype and then everyone can use the same one (referentially) and you have only 1 place to modify it such that the change is instantly effective everywhere; use eventtypes.conf like this:

[USER_X_DISALLOWED LOGINS]
search = user="X" IP!="A" IP!="B" IP!="C" IP!="D" IP!="E"

[DISALLOWED LOGINS]
search = IP!="F" IP!="G" IP!="H" IP!="I" IP!="J"

Then you search like this:

eventtype=USER_X_DISALLOWED LOGINS
0 Karma
Get Updates on the Splunk Community!

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud  In today’s fast-paced digital ...

Observability protocols to know about

Observability protocols define the specifications or formats for collecting, encoding, transporting, and ...

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...