Splunk Search

csv file exclude

sfurkan
Explorer

Hi,

I will create an alert that tracks Windows (event id = 4726 - A user account was deleted) events.
I have a user list named "user" in the adminuser.csv file. I want to exclude these users. how can I do it? Should I use lookup or inputlookup? which one is more efficient?

The following query does not return the result I want.


index = wineventlog source = "WinEventLog: Security" EventCode = 4726 | search src_user NOT [ | inputlookup adminuser.csv]

Labels (1)
0 Karma
1 Solution

scelikok
SplunkTrust
SplunkTrust

Hi @sfurkan,

Using inputlookup is better since it will filter events as early as possible. 

 

index = wineventlog source = "WinEventLog: Security" EventCode = 4726 NOT [| inputlookup adminuser.csv | fields user | rename user as src_user]

 

 

If this reply helps you an upvote is appreciated.

View solution in original post

scelikok
SplunkTrust
SplunkTrust

I noticed and fixed my query after posting. I think you read before my edit. Please check my reply again. I changed it to src_user. It will compare user field in csv with src_user in events.

If this reply helps you an upvote is appreciated.
0 Karma

sfurkan
Explorer

the field src_user that I want to query in the event.
I only have "user" field in the adminuser.csv file.

What does src_ip mean in the query you mentioned? Do you mean the field in the csv file?

0 Karma

scelikok
SplunkTrust
SplunkTrust

Hi @sfurkan,

Using inputlookup is better since it will filter events as early as possible. 

 

index = wineventlog source = "WinEventLog: Security" EventCode = 4726 NOT [| inputlookup adminuser.csv | fields user | rename user as src_user]

 

 

If this reply helps you an upvote is appreciated.
Get Updates on the Splunk Community!

Ready, Set, SOAR: How Utility Apps Can Up Level Your Playbooks!

 WATCH NOW Powering your capabilities has never been so easy with ready-made Splunk® SOAR Utility Apps. Parse ...

DevSecOps: Why You Should Care and How To Get Started

 WATCH NOW In this Tech Talk we will talk about what people mean by DevSecOps and deep dive into the different ...

Introducing Ingest Actions: Filter, Mask, Route, Repeat

WATCH NOW Ingest Actions (IA) is the best new way to easily filter, mask and route your data in Splunk® ...