Splunk Search

How to compare logins (users) and IP addresses from server log files to a standard list in a lookup and alert if they do not match?

vesug
New Member

I have a couple logins (user) and the ip addresses (c_ip) in a lookup table. As a true test to make a search to compare these values with the values in the log file, and if they do not match, I need to trigger an alert.

0 Karma
1 Solution

renjith_nair
SplunkTrust
SplunkTrust

If you want to find the IP address which are not part of lookup, try

"Your search on log files and list of fields" NOT [|inputlookup lookup_name |dedup user,c_ip|fields user,c_ip]

Make sure that you have user and c_ip as fields in the log file or rename the corresponding fields to match with lookup field names

Test this search and if its working, then add |stats count to the end of the search and create alert if count > 0

Happy Splunking!

View solution in original post

0 Karma

renjith_nair
SplunkTrust
SplunkTrust

If you want to find the IP address which are not part of lookup, try

"Your search on log files and list of fields" NOT [|inputlookup lookup_name |dedup user,c_ip|fields user,c_ip]

Make sure that you have user and c_ip as fields in the log file or rename the corresponding fields to match with lookup field names

Test this search and if its working, then add |stats count to the end of the search and create alert if count > 0

Happy Splunking!
0 Karma

vesug
New Member

Thank you!

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...