Re: Splunk Alert Exclude Previous Search Result

huaw828 · ‎04-29-2017

Hi,

I have a Splunk search which detect some potential attack Ips.
The alert scheduled every 4 hours and detect the offending IPs for last 24 hour which tried to login but failed for multiple times.
The result could be something like the following example:
ip failed_count
123.456.789.123 100
222.333.544.111 200

The problem is that, let's say the alert triggered at 8:00 am for the above result.
At 12:00 am, the alert triggered again with the following result:

ip failed_count
123.456.789.123 100
222.333.544.111 200
444.555.666.777 220

How could i exclude the previous result which already existing and only put the new one?
What i need for the alert at 12:00 am is only show:
ip failed_count
444.555.666.777 220

I tried to use Throttle to suppress results containing field value of ip, but this only works as per result, which means i would got multiple emails.

Please help, thanks in advance !

dineshraj9 · ‎05-02-2017

You can try loading the results for each day in a lookup using outputlookup command and before output lookup add a check if the current result has no results that match any entry in the lookup.

Splunk Alert Exclude Previous Search Result

Detecting Remote Code Executions With the Splunk Threat Research Team

Observability | Use Synthetic Monitoring for Website Metadata Verification

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk