Solved: Re: How to compare logins (users) and IP addresses...

vesug · ‎02-08-2016

I have a couple logins (user) and the ip addresses (c_ip) in a lookup table. As a true test to make a search to compare these values with the values in the log file, and if they do not match, I need to trigger an alert.

renjith_nair · ‎02-09-2016

If you want to find the IP address which are not part of lookup, try

"Your search on log files and list of fields" NOT [|inputlookup lookup_name |dedup user,c_ip|fields user,c_ip]

Make sure that you have user and c_ip as fields in the log file or rename the corresponding fields to match with lookup field names

Test this search and if its working, then add |stats count to the end of the search and create alert if count > 0

---
What goes around comes around. If it helps, hit it with Karma 🙂

View solution in original post

renjith_nair · ‎02-09-2016

If you want to find the IP address which are not part of lookup, try

"Your search on log files and list of fields" NOT [|inputlookup lookup_name |dedup user,c_ip|fields user,c_ip]

Make sure that you have user and c_ip as fields in the log file or rename the corresponding fields to match with lookup field names

Test this search and if its working, then add |stats count to the end of the search and create alert if count > 0

---
What goes around comes around. If it helps, hit it with Karma 🙂

vesug · ‎02-09-2016

Thank you!

How to compare logins (users) and IP addresses from server log files to a standard list in a lookup and alert if they do not match?

Join Us for Splunk University and Get Your Bootcamp Game On!

.conf24 | Learning Tracks for Security, Observability, Platform, and Developers!

Announcing Scheduled Export GA for Dashboard Studio