Splunk Search

Lookup table for search exclusions using a combination of multiple fields

geoffmoraes
Path Finder

I have an alert to discover logins from accounts on servers and workstations. Some of these logins are normal and so I am attempting to create an exclusion for these events. This is a discovery process, and a list of normal logins is not known. At the moment, the exclusions are done with individual search commands for readability. But this query search lines are getting bigger by the day.

<base-search>
| search NOT (accountName=svcAPP01 AND computerName=srv-APP1-blah)
| search NOT (accountName=svcAPP02 AND computerName=srv-APP02-*)
| search NOT (accountName=svcAPP03 AND computerName=srv-APP03-blah computerName=ws-somename-blah)
| table _time, accountName, computerName

Is it possible to create an inputlookup table for such an exclusion, where the criteria are a combination of two fields; accountName and computerName?

0 Karma
1 Solution

gcusello
Legend

Hi @geoffmoraes,

if you can define all the pairs accountName and computerName and the correlation is always NOT (accountName AND computerName) , you can put them in a lookup (called e.g. search_patterns.csv) containing only two fields (accountName and computerName) and use it in a search, something like this:

your search NOT [ | inputlookup search_patterns.csv | fields accountName computerName ]
| ...

Ciao.

Giuseppe

 

View solution in original post

geoffmoraes
Path Finder

@gcusello That worked. Thanks!

0 Karma

gcusello
Legend

Hi @geoffmoraes,

Good for you.

Ciao and happy splunking.

Giuseppe.

P.S.: Karma Points are appreciated 😉

0 Karma

gcusello
Legend

Hi @geoffmoraes,

if you can define all the pairs accountName and computerName and the correlation is always NOT (accountName AND computerName) , you can put them in a lookup (called e.g. search_patterns.csv) containing only two fields (accountName and computerName) and use it in a search, something like this:

your search NOT [ | inputlookup search_patterns.csv | fields accountName computerName ]
| ...

Ciao.

Giuseppe

 

Get Updates on the Splunk Community!

Improve Your Security Posture

Watch NowImprove Your Security PostureCustomers are at the center of everything we do at Splunk and security ...

Maximize the Value from Microsoft Defender with Splunk

 Watch NowJoin Splunk and Sens Consulting for this Security Edition Tech TalkWho should attend:  Security ...

This Week's Community Digest - Splunk Community Happenings [6.27.22]

Get the latest news and updates from the Splunk Community here! News From Splunk Answers ✍️ Splunk Answers is ...