Hi all, I am new to Splunk and have been trying to work on a use case to detect anomalous switches from one type of account to another. Index A: Has the list of switches i.e. has two columns: 'Old account', 'New account'. Index B: Has the *type* of accounts. It has two columns: 'Accounts', 'Account_types'. Till now, using commands like join (after renaming certain columns), I have been able to get to a point where I have a table of 4 columns, 'Old account', 'Old_account_type', New account', 'New_account_type'. Aim: I need to implement logic to detect if old accounts switch to 'unusual' new accounts**.** Idea so far: I wish to create a dictionary of some sort where there is a list of new accounts and new_account_type(s) an old account has switched to. And then, if the old account switches to an account not in this dictionary, I wish to flag it up. Does this sound like a logical idea? For example, if looking at past 4 switches, if an old account named A of the type 'admin', switches to new accounts named 1, 2, 3, 4 of type admin, user, admin, admin, then the dictionary should look like A_switches = { "Old Account": "A", "old_account_type":"admin", "New Account": [1 , 2 , 3, 4], "type": [admin, user] } This query needs to be run each hour to flag up unusual switches. Can someone suggest how I can implement the above logic i.e. create a dictionary and spot unusual activity? Apologies for the long question and if something isn't clear.
... View more