Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How do I create an overall alert while ignoring events for specific field combinations?

jmaple
Communicator
‎12-27-2016 09:02 AM

I'm trying to alert on a specific event code but there are certain combinations where these event codes are acceptable and I want to exclude them from my results but for some reason, I'm having trouble getting it to ignore accepted events without excluding them outright.

For instance, our service desk is allowed to make specific edits within our AD infrastructure but we use Quest ARS for everything else and we want to be notified when a user makes an AD modification to a user outside of this event combination so here is my base search:

index=wineventlog sourcetype=*Security EventCode=5136 Class=user LDAP_Display_Name!=userCertificate

From here I want to exclude the title of our "Account_Name" field (which is brought in using a lookup) with the specific "LDAP_Display_Name" field value of "altSecurityIdentity". I thought this would do it:

[base search] | where (LDAP_Display_Name!=altSecurityIdentity AND userTitle!="*help desk*")

But that doesn't take both arguments in account. It does one then the other. How do I get it to accept both arguments as one?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

jmaple
Communicator
‎12-27-2016 09:42 AM

So rather than do the "where" statement, I just added the "NOT ..." statement in the base search and it seems to do it.

index=wineventlog sourcetype=*Security EventCode=5136 Class=user LDAP_Display_Name!=userCertificate NOT (LDAP_Display_Name=altSecurityIdentities AND (userTitle="*help desk*" OR userTitle="*service desk*"))

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

jmaple
Communicator
‎12-27-2016 09:42 AM

So rather than do the "where" statement, I just added the "NOT ..." statement in the base search and it seems to do it.

index=wineventlog sourcetype=*Security EventCode=5136 Class=user LDAP_Display_Name!=userCertificate NOT (LDAP_Display_Name=altSecurityIdentities AND (userTitle="*help desk*" OR userTitle="*service desk*"))
0 Karma
Reply
Solved! Jump to solution

somesoni2
Revered Legend
‎12-27-2016 09:27 AM

Try this

[base search] | where NOT (LDAP_Display_Name="altSecurityIdentity" AND userTitle="*help desk*")
Reply
Solved! Jump to solution

jmaple
Communicator
‎12-27-2016 09:32 AM

Looks like there is no change. There a couple of different titles I need to filter so I tried one of them and it still came up as a result.

0 Karma
Reply
Get Updates on the Splunk Community!

Database Performance Sidebar Panel Now on APM Database Query Performance & Service ...

We’ve streamlined the troubleshooting experience for database-related service issues by adding a database ...

IM Landing Page Filter - Now Available

We’ve added the capability for you to filter across the summary details on the main Infrastructure Monitoring ...

Dynamic Links from Alerts to IM Navigators - New in Observability Cloud

Splunk continues to improve the troubleshooting experience in Observability Cloud with this latest enhancement ...