Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Lookup table for search exclusions using a combination of multiple fields

geoffmoraes
Path Finder
‎10-25-2020 11:57 PM

I have an alert to discover logins from accounts on servers and workstations. Some of these logins are normal and so I am attempting to create an exclusion for these events. This is a discovery process, and a list of normal logins is not known. At the moment, the exclusions are done with individual search commands for readability. But this query search lines are getting bigger by the day.

<base-search>
| search NOT (accountName=svcAPP01 AND computerName=srv-APP1-blah)
| search NOT (accountName=svcAPP02 AND computerName=srv-APP02-*)
| search NOT (accountName=svcAPP03 AND computerName=srv-APP03-blah computerName=ws-somename-blah)
| table _time, accountName, computerName

Is it possible to create an inputlookup table for such an exclusion, where the criteria are a combination of two fields; accountName and computerName?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎10-26-2020 12:16 AM

Hi @geoffmoraes,

if you can define all the pairs accountName and computerName and the correlation is always NOT (accountName AND computerName) , you can put them in a lookup (called e.g. search_patterns.csv) containing only two fields (accountName and computerName) and use it in a search, something like this:

your search NOT [ | inputlookup search_patterns.csv | fields accountName computerName ]
| ...

Ciao.

Giuseppe

 

View solution in original post

Reply
Solved! Jump to solution

geoffmoraes
Path Finder
‎10-26-2020 02:24 AM

@gcusello That worked. Thanks!

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎10-26-2020 02:28 AM

Hi @geoffmoraes,

Good for you.

Ciao and happy splunking.

Giuseppe.

P.S.: Karma Points are appreciated 😉

0 Karma
Reply
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎10-26-2020 12:16 AM

Hi @geoffmoraes,

if you can define all the pairs accountName and computerName and the correlation is always NOT (accountName AND computerName) , you can put them in a lookup (called e.g. search_patterns.csv) containing only two fields (accountName and computerName) and use it in a search, something like this:

your search NOT [ | inputlookup search_patterns.csv | fields accountName computerName ]
| ...

Ciao.

Giuseppe

 

Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass

Hello Splunkers,  We’re excited to kick off a Splunk Dashboard contest! We know that dashboards are a primary ...

May 2026 Splunk Expert Sessions: Security & Observability

Level Up Your Operations: May 2026 Splunk Expert Sessions Whether you are refining your security posture or ...

Network to App: Observability Unlocked [May & June Series]

In today’s digital landscape, your environment is no longer confined to the data center. It spans complex ...