All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Splunk Alert Exclude Previous Search Result

huaw828
New Member
‎04-29-2017 05:06 PM

Hi,

I have a Splunk search which detect some potential attack Ips.
The alert scheduled every 4 hours and detect the offending IPs for last 24 hour which tried to login but failed for multiple times.
The result could be something like the following example:
ip failed_count
123.456.789.123 100
222.333.544.111 200

The problem is that, let's say the alert triggered at 8:00 am for the above result.
At 12:00 am, the alert triggered again with the following result:

ip failed_count
123.456.789.123 100
222.333.544.111 200
444.555.666.777 220

How could i exclude the previous result which already existing and only put the new one?
What i need for the alert at 12:00 am is only show:
ip failed_count
444.555.666.777 220

I tried to use Throttle to suppress results containing field value of ip, but this only works as per result, which means i would got multiple emails.

Please help, thanks in advance !

0 Karma
Reply

dineshraj9
Builder
‎05-02-2017 02:36 AM

You can try loading the results for each day in a lookup using outputlookup command and before output lookup add a check if the current result has no results that match any entry in the lookup.

0 Karma
Reply
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...