Alerting

comparing a field and external file

aniketb
Path Finder

Hello all,

I'm a very new splunk user. I have this question:

I have a list of verified hostnames. I can put them in any file, .txt or .csv, its just a list.
I also have my hostname field in logs correctly extracted.

I would like to set up an alert if the hostname doesn't match with any approved one from the list.

How should I go ahead with it? Answers or even pointers would be helpful.

1 Solution

cburr2012
Path Finder

aniketb,

1) Create the list of verified hostnames as a CSV file. It is easy if the column containing the hostname values is the same name as Splunk's hostname. (i.e. if Splunk calls it "host=bob" your header should be "host" without the quotes.)

2) Open Splunk.

3) Navigate to Manager --> Lookups --> Add New --> Lookup Table File

4) Upload your file and name it hostname_lookup.csv (or whatever you want, have the filename end in .csv)

5) Under Manager --> Lookups --> Add New --> Lookup Definition

6) Name: hostname_lookup , lookup-file: hostname_lookup.csv

7) Now define your search query: index=this_index query_terms_here NOT [|inputlookup hostname_lookup | fields host]

😎 Set your time and click Create --> Alert

9) Schedule your alert and have it trigger when your results are great than 0.

Hope this helps.

View solution in original post

cburr2012
Path Finder

aniketb,

1) Create the list of verified hostnames as a CSV file. It is easy if the column containing the hostname values is the same name as Splunk's hostname. (i.e. if Splunk calls it "host=bob" your header should be "host" without the quotes.)

2) Open Splunk.

3) Navigate to Manager --> Lookups --> Add New --> Lookup Table File

4) Upload your file and name it hostname_lookup.csv (or whatever you want, have the filename end in .csv)

5) Under Manager --> Lookups --> Add New --> Lookup Definition

6) Name: hostname_lookup , lookup-file: hostname_lookup.csv

7) Now define your search query: index=this_index query_terms_here NOT [|inputlookup hostname_lookup | fields host]

😎 Set your time and click Create --> Alert

9) Schedule your alert and have it trigger when your results are great than 0.

Hope this helps.

carmackd
Communicator

upload the host list as a lookup file (save as .csv) host column header named hostname

run this search

sourcetype=<my_sourcetype_name_here> NOT [|inputlookup <lookup_name_here>.csv | fields hostname]
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...