Splunk ver 7.1.1
I'm using real-time alert that trigger when there is event which has src_ip match black_list.csv like below.
index=hogehoge
| lookup black_list.csv src OUTPUT status
| where isnotnull(status)
| table _time src status
But if there is such a event, this alert is continuously triggered per 5 seconds against same event!
I think it caused by `lookup` command touches every event again, when new event is arrived.
Should not I use `lookup` in real-time alert?
And is it specification?
* If this is written in the document, I'm sorry ....
Please someone help me.
↧