Solved: Trying to create a search that will use the result... - Page 2

bworrellZP · ‎07-05-2016

So I have a search that tells me is someones account is locked. I have been asked to create an alert or search that will tell me when someone's account is locked and has tried to login again. Then output this as a table in an email.

Search I use to find the locked accounts.
index=Account Status=Locked

Once I find the users that are locked, I want to feed those users into the second search, so that if they attempt tp login again, after being locked, I get a report with a table of the details I have been asked to provide.

Search I use to create the table, when doing a manual search
index=Account Status=Locked | table LoginTime, LoginStatus, FailureReason, Status, UserID

How do I take the first search to feed the second with just locked accounts that are trying to login?

Thanks

woodcock · ‎07-05-2016

Have 2 searches: 1 scheduled that updates a lookup file (or KV Store) for all UserIDs with "locked out" status.

Then use a subsearch to pull in that data to limit an outer search for login attempts like this:

Your search that shows failed login attempts here [|inputlookup YourLockedOutLookupHere | table UserID]

View solution in original post

Trying to create a search that will use the results to feed another search and output the results in a table.

Introducing the Splunk Community Dashboard Challenge!

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...