- Splunk Answers
- :
- Using Splunk
- :
- Alerting
- :
- comparing a field and external file
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello all,
I'm a very new splunk user. I have this question:
I have a list of verified hostnames. I can put them in any file, .txt or .csv, its just a list.
I also have my hostname field in logs correctly extracted.
I would like to set up an alert if the hostname doesn't match with any approved one from the list.
How should I go ahead with it? Answers or even pointers would be helpful.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
aniketb,
1) Create the list of verified hostnames as a CSV file. It is easy if the column containing the hostname values is the same name as Splunk's hostname. (i.e. if Splunk calls it "host=bob" your header should be "host" without the quotes.)
2) Open Splunk.
3) Navigate to Manager --> Lookups --> Add New --> Lookup Table File
4) Upload your file and name it hostname_lookup.csv (or whatever you want, have the filename end in .csv)
5) Under Manager --> Lookups --> Add New --> Lookup Definition
6) Name: hostname_lookup , lookup-file: hostname_lookup.csv
7) Now define your search query: index=this_index query_terms_here NOT [|inputlookup hostname_lookup | fields host]
😎 Set your time and click Create --> Alert
9) Schedule your alert and have it trigger when your results are great than 0.
Hope this helps.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
aniketb,
1) Create the list of verified hostnames as a CSV file. It is easy if the column containing the hostname values is the same name as Splunk's hostname. (i.e. if Splunk calls it "host=bob" your header should be "host" without the quotes.)
2) Open Splunk.
3) Navigate to Manager --> Lookups --> Add New --> Lookup Table File
4) Upload your file and name it hostname_lookup.csv (or whatever you want, have the filename end in .csv)
5) Under Manager --> Lookups --> Add New --> Lookup Definition
6) Name: hostname_lookup , lookup-file: hostname_lookup.csv
7) Now define your search query: index=this_index query_terms_here NOT [|inputlookup hostname_lookup | fields host]
😎 Set your time and click Create --> Alert
9) Schedule your alert and have it trigger when your results are great than 0.
Hope this helps.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
upload the host list as a lookup file (save as .csv) host column header named hostname
run this search
sourcetype=<my_sourcetype_name_here> NOT [|inputlookup <lookup_name_here>.csv | fields hostname]
Join Us for Splunk University and Get Your Bootcamp Game On!
.conf24 | Learning Tracks for Security, Observability, Platform, and Developers!
Announcing Scheduled Export GA for Dashboard Studio
