Hi Splunkers,
I use many alerts where the result contains the username. Then a map search looks for this user, in the user list index, checks the group memberships, and will send the alert to the corresponding IT department. (there are many countries and there is a lookup that tells the support email by the user's country group). If the user is not a member of any country-group support email eval to the central one.
That is working fine... until the user is in the user's index. If the user cannot be found there, the whole search is not working.
Example:
index=logons action=failure | stats dc(action) as failures by username | where failures > 20 | map maxsearches=50 search=" search index=users user=\"$username$\" | spath memberOf{}.displayName output=groupName | eval username=\"$usernam$\", failures=\"$failures$\" | lookup support.csv group as groupName output support" | eval support = if(isnull(support) OR support="", "central@example.com", support) | table username, failures, support
So if a user failed to log in more than 20 times the alert triggers and sends an email to support - assigned by the group membership, if there is no membership, it will send to central IT.
If the user cannot be found in index=users for some reason, the alert will not trigger at all. I would like it if the alert triggers and send to central@example.com (since a not existing user, has no group ...) with the username from the base search included.
... View more