保持查找文件值新鲜的最佳方法
Best method to keep lookup file value fresh
比如说,我必须监控 3 个特定部门的用户活动:科学、历史和数学。
目标是在任何这些部门的任何用户从站点 XYZ 下载文件时发送警报。
目前,我有一个来自这三个部门的所有用户的查找文件。
users
----------------------
user1@organization.edu
user2@organization.edu
user3@organization.edu
user4@organization.edu
user5@organization.edu
一个问题:用户可以随时加入、离开或转到其他部门。
幸运的是,这些活动(加入和离开)被跟踪并且它们是 Splunk 可用的。
index=directory status=*
-----------------------------------------------
{
"username":"user1@organization.edu",
"department":"Science",
"status":"added"
}
{
"username":"user1@organization.edu",
"department":"Science",
"status":"removed"
}
{
"username":"user2@organization.edu",
"department":"History",
"status":"added"
}
{
"username":"user3@organization.edu",
"department":"Math",
"status":"added"
}
{
"username":"MRROBOT@organization.edu",
"department":"Math",
"status":"added"
}
在这个例子中,假设我忘记更新查找文件,当MRROBOT@organization.edu下载文件时,我不会得到提示,同时,当我下载文件时,我仍然会得到提示user1@organization.edu 下载一个文件。
我能想到的一个解决方案是通过使用 inputlookup 和 outputlook 方法手动更新查找,例如:
inputlookup users.csv | users!=user1@organization.edu | outputlookup users.csv
但是,我认为这不是一种有效的方法,尤其是我很可能会错过一两个用户。
是否有更好的方法来使查找文件保持最新?我四处搜索,一个建议是使用 cronjob CURL 来更新列表。但是,我想知道是否有比这更简单或更好的选择。
这是一个应该使用 Splunk 中的 activity 事件自动维护查找文件的搜索。
`comment("Read in the lookup file. Force them to have old timestamps")`
| inputlookup users.csv | eval _time=1, status="added"
`comment("Add in activity events")`
| append [ search index=foo ]
`comment("Keep only the most recent record for each user")`
| stats latest(_time) as _time, latest(status) as status by username
`comment("Throw out users with status of 'removed'")`
| where NOT status="removed"
`comment("Save the new lookup")`
| table username
| outputlookup users.csv
在 append 命令之后,您应该有一个如下所示的列表:
user1@organization.edu added
user2@organization.edu added
user3@organization.edu added
user4@organization.edu added
user5@organization.edu added
user1@organization.edu added
user1@organization.edu removed
user2@organization.edu added
user3@organization.edu added
MRROBOT@organization.edu added
stats 命令会将其缩减为:
user4@organization.edu added
user5@organization.edu added
user1@organization.edu removed
user2@organization.edu added
user3@organization.edu added
MRROBOT@organization.edu added
使用 where 命令将其进一步缩减为:
user4@organization.edu added
user5@organization.edu added
user2@organization.edu added
user3@organization.edu added
MRROBOT@organization.edu added
比如说,我必须监控 3 个特定部门的用户活动:科学、历史和数学。
目标是在任何这些部门的任何用户从站点 XYZ 下载文件时发送警报。
目前,我有一个来自这三个部门的所有用户的查找文件。
users
----------------------
user1@organization.edu
user2@organization.edu
user3@organization.edu
user4@organization.edu
user5@organization.edu
一个问题:用户可以随时加入、离开或转到其他部门。
幸运的是,这些活动(加入和离开)被跟踪并且它们是 Splunk 可用的。
index=directory status=*
-----------------------------------------------
{
"username":"user1@organization.edu",
"department":"Science",
"status":"added"
}
{
"username":"user1@organization.edu",
"department":"Science",
"status":"removed"
}
{
"username":"user2@organization.edu",
"department":"History",
"status":"added"
}
{
"username":"user3@organization.edu",
"department":"Math",
"status":"added"
}
{
"username":"MRROBOT@organization.edu",
"department":"Math",
"status":"added"
}
在这个例子中,假设我忘记更新查找文件,当MRROBOT@organization.edu下载文件时,我不会得到提示,同时,当我下载文件时,我仍然会得到提示user1@organization.edu 下载一个文件。
我能想到的一个解决方案是通过使用 inputlookup 和 outputlook 方法手动更新查找,例如:
inputlookup users.csv | users!=user1@organization.edu | outputlookup users.csv
但是,我认为这不是一种有效的方法,尤其是我很可能会错过一两个用户。
是否有更好的方法来使查找文件保持最新?我四处搜索,一个建议是使用 cronjob CURL 来更新列表。但是,我想知道是否有比这更简单或更好的选择。
这是一个应该使用 Splunk 中的 activity 事件自动维护查找文件的搜索。
`comment("Read in the lookup file. Force them to have old timestamps")`
| inputlookup users.csv | eval _time=1, status="added"
`comment("Add in activity events")`
| append [ search index=foo ]
`comment("Keep only the most recent record for each user")`
| stats latest(_time) as _time, latest(status) as status by username
`comment("Throw out users with status of 'removed'")`
| where NOT status="removed"
`comment("Save the new lookup")`
| table username
| outputlookup users.csv
在 append 命令之后,您应该有一个如下所示的列表:
user1@organization.edu added
user2@organization.edu added
user3@organization.edu added
user4@organization.edu added
user5@organization.edu added
user1@organization.edu added
user1@organization.edu removed
user2@organization.edu added
user3@organization.edu added
MRROBOT@organization.edu added
stats 命令会将其缩减为:
user4@organization.edu added
user5@organization.edu added
user1@organization.edu removed
user2@organization.edu added
user3@organization.edu added
MRROBOT@organization.edu added
使用 where 命令将其进一步缩减为:
user4@organization.edu added
user5@organization.edu added
user2@organization.edu added
user3@organization.edu added
MRROBOT@organization.edu added