Hi All,
we use splunk to monitoring super user activity (on windows, DB, and network)
right now we have setting splunk to sending alert on several windows event code with .adm user. but now we want to exclude several user activities, so if the user doing activities on windows, splunk will not send the alert.
example we have user1.adm, user2.adm, user3.adm and right now if all user login on server, then splunk will send alert, but we want to exclude user3.adm. so if the user3.adm login, splunk will not send alert.
can someone help me, what query i need to add on my search alert on splunk?
note i need to exclude several user on all my DB, OS, Network, and the user is different in all the os, network and DB
please advice
Thanks,
... View more