- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Adding lookup files for tuning purposes
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
So I'm new to Splunk (and ES) and have been asked to tune out some noise as we are getting a lot of false positives from one of the rules: Access - Excessive Failed Logins - Rule.
Could anyone help me with how I add the lookup file in my search so that it reads user and dest values stored inside?
| from datamodel:"Authentication"."Failed_Authentication" | stats values(tag) as "tag",dc(user) as "user_count",dc(dest) as "dest_count",count by "app","src" | where 'count'>=6
My aim is to build a list with destinations and users that are not included within the rule.
Any help (and explanation) would be much appreciated.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The big picture is this: any record that gets to the end of the search generates an alert, so any workable method to eliminate the records that you do NOT want an alert from is a valid method.
Look at the answer on this one for one example of how to input, use and update a list of field combinations to suppress the alert on...
For a more general case, here's one way to suppress records based on a lookup or csv...
https://answers.splunk.com/answers/305030/how-to-use-a-lookup-file-to-suppress-alerts.html
This one includes Somesoni2's code to look for an alert that was fired earlier...
https://answers.splunk.com/answers/403320/how-do-i-suppress-alerts-until-the-next-day-at-12.html
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The big picture is this: any record that gets to the end of the search generates an alert, so any workable method to eliminate the records that you do NOT want an alert from is a valid method.
Look at the answer on this one for one example of how to input, use and update a list of field combinations to suppress the alert on...
For a more general case, here's one way to suppress records based on a lookup or csv...
https://answers.splunk.com/answers/305030/how-to-use-a-lookup-file-to-suppress-alerts.html
This one includes Somesoni2's code to look for an alert that was fired earlier...
https://answers.splunk.com/answers/403320/how-do-i-suppress-alerts-until-the-next-day-at-12.html
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks a lot, the URL's were very helpful.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
moved the comment under the answer it related to. You're welcome!
Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...
Combine Multiline Logs into a Single Event with SOCK: a Step-by-Step Guide for ...
Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!
