https://community.splunk.com/t5/Getting-Data-In/Normalize-user-fields-across-multiple-sourcetypes/m-p/253940#M48751 <P>That was it - created three field aliases and was able to run the search - thx for everyone's help!</P> Thu, 13 Oct 2016 16:57:08 GMT jwalzerpitt 2016-10-13T16:57:08Z https://community.splunk.com/t5/Getting-Data-In/Normalize-user-fields-across-multiple-sourcetypes/m-p/253934#M48745 <P>I have three different sourcetypes in which each user field is labeled differently: TargetUserName, User, sremote_userid</P> <P>I would like to normalize the user fields so I could search just one field (myuser) for failed logins across all three sourcetypes. </P> <P>I created a field alias called 'myuser' that contains the three field aliases (TargetUserName=myuser, User=TargetUserName, sremote_userid=myuser). I assume I know have to create three different eventtypes, one failed login eventtype for each sourcetype. </P> <P>Once I create the three eventtypes, what would my search look like?</P> <P>Thx</P> Thu, 13 Oct 2016 16:17:19 GMT https://community.splunk.com/t5/Getting-Data-In/Normalize-user-fields-across-multiple-sourcetypes/m-p/253934#M48745 jwalzerpitt 2016-10-13T16:17:19Z https://community.splunk.com/t5/Getting-Data-In/Normalize-user-fields-across-multiple-sourcetypes/m-p/253935#M48746 <P>Once created the Three eventypes For failed login, assign to each one the tag=LOGFAIL.<BR /> Now you can search For tag=LOGFAIL and take the Three eventypes events.<BR /> Bye.<BR /> Giuseppe </P> Thu, 13 Oct 2016 16:34:44 GMT https://community.splunk.com/t5/Getting-Data-In/Normalize-user-fields-across-multiple-sourcetypes/m-p/253935#M48746 gcusello 2016-10-13T16:34:44Z https://community.splunk.com/t5/Getting-Data-In/Normalize-user-fields-across-multiple-sourcetypes/m-p/253936#M48747 <P>I would do this: as you create each of the failed login eventtypes, give all the of them the same <CODE>tag</CODE> - let's call it "failed_login".</P> <P>Then your search could look like this:</P> <PRE><CODE>tag=failed_login | stats count by myuser host </CODE></PRE> <P>I just made up the stats for fun. If you choose not to tag the eventtypes, then your search would look like this:</P> <PRE><CODE>eventtype=fail_type1 OR eventtype=fail_type2 OR eventtype=fail_type3 | stats count by myuser host </CODE></PRE> <P>HTH</P> Thu, 13 Oct 2016 16:37:11 GMT https://community.splunk.com/t5/Getting-Data-In/Normalize-user-fields-across-multiple-sourcetypes/m-p/253936#M48747 lguinn2 2016-10-13T16:37:11Z https://community.splunk.com/t5/Getting-Data-In/Normalize-user-fields-across-multiple-sourcetypes/m-p/253937#M48748 <P>I created the three event types and assigned tag=failure to each. I then run a search 'tag::failure'.</P> <P>How do I then search by the field alias 'myuser' instead of searching on the three individual user fields?</P> <P>Thx</P> Thu, 13 Oct 2016 16:38:50 GMT https://community.splunk.com/t5/Getting-Data-In/Normalize-user-fields-across-multiple-sourcetypes/m-p/253937#M48748 jwalzerpitt 2016-10-13T16:38:50Z https://community.splunk.com/t5/Getting-Data-In/Normalize-user-fields-across-multiple-sourcetypes/m-p/253938#M48749 <P>Thx for the reply.</P> <P>I am running the search, 'tag::failure | stats count by myuser', but I am getting no results found as opposed to running 'tag::failure' and getting results.</P> <P>I double checked my field alias, 'myuser', and it reads as follows:</P> <P>TargetUserName = myuser<BR /> User = myuser<BR /> sremote_UserID = myuser</P> <P>I did restart Splunk to ensure the changes took place.</P> Thu, 13 Oct 2016 16:42:45 GMT https://community.splunk.com/t5/Getting-Data-In/Normalize-user-fields-across-multiple-sourcetypes/m-p/253938#M48749 jwalzerpitt 2016-10-13T16:42:45Z https://community.splunk.com/t5/Getting-Data-In/Normalize-user-fields-across-multiple-sourcetypes/m-p/253939#M48750 <P>Right now I have one alias with a '*' for sourcetype. Do I need to create an alias per sourcetype (in my case three aliases)?</P> <P>Thx</P> Thu, 13 Oct 2016 16:52:25 GMT https://community.splunk.com/t5/Getting-Data-In/Normalize-user-fields-across-multiple-sourcetypes/m-p/253939#M48750 jwalzerpitt 2016-10-13T16:52:25Z https://community.splunk.com/t5/Getting-Data-In/Normalize-user-fields-across-multiple-sourcetypes/m-p/253940#M48751 <P>That was it - created three field aliases and was able to run the search - thx for everyone's help!</P> Thu, 13 Oct 2016 16:57:08 GMT https://community.splunk.com/t5/Getting-Data-In/Normalize-user-fields-across-multiple-sourcetypes/m-p/253940#M48751 jwalzerpitt 2016-10-13T16:57:08Z https://community.splunk.com/t5/Getting-Data-In/Normalize-user-fields-across-multiple-sourcetypes/m-p/253941#M48752 <P>When you run the search (without the stats), do you see the 4 fields in the "fields sidebar?"<BR /> All of them should appear. You might have to click the "all fields" link to see them.</P> Thu, 13 Oct 2016 17:00:44 GMT https://community.splunk.com/t5/Getting-Data-In/Normalize-user-fields-across-multiple-sourcetypes/m-p/253941#M48752 lguinn2 2016-10-13T17:00:44Z https://community.splunk.com/t5/Getting-Data-In/Normalize-user-fields-across-multiple-sourcetypes/m-p/253942#M48753 <P>Yes, aliases are per sourcetype. Actually, you should only need 3 aliases - each alias should be specific to a sourcetype. Also, if you want others to use your aliases, tags and eventtypes, you should be sure to change the permissions to read - and make them consistent. It won't work for you to give read permissions for the tag, but no permissions for the underlying fields or eventtypes.</P> Thu, 13 Oct 2016 17:02:42 GMT https://community.splunk.com/t5/Getting-Data-In/Normalize-user-fields-across-multiple-sourcetypes/m-p/253942#M48753 lguinn2 2016-10-13T17:02:42Z https://community.splunk.com/t5/Getting-Data-In/Normalize-user-fields-across-multiple-sourcetypes/m-p/253943#M48754 <P>I have three aliases with the read permission set and I am now getting results. I am in the process of creating other aliases (for IP, host, etc) so I can incorporate those into the search as well.</P> <P>Thx again!</P> Thu, 13 Oct 2016 17:11:27 GMT https://community.splunk.com/t5/Getting-Data-In/Normalize-user-fields-across-multiple-sourcetypes/m-p/253943#M48754 jwalzerpitt 2016-10-13T17:11:27Z https://community.splunk.com/t5/Getting-Data-In/Normalize-user-fields-across-multiple-sourcetypes/m-p/253944#M48755 <P>Hi @jwalzerpitt</P> <P>Glad you found a solution through the awesome @lguinn <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span> Please don't forget to resolve the post by clicking "Accept" directly below her answer. Cheers!</P> Thu, 13 Oct 2016 17:32:02 GMT https://community.splunk.com/t5/Getting-Data-In/Normalize-user-fields-across-multiple-sourcetypes/m-p/253944#M48755 ppablo 2016-10-13T17:32:02Z https://community.splunk.com/t5/Getting-Data-In/Normalize-user-fields-across-multiple-sourcetypes/m-p/253945#M48756 <P>She is awesome! Answer accepted</P> Thu, 13 Oct 2016 17:36:57 GMT https://community.splunk.com/t5/Getting-Data-In/Normalize-user-fields-across-multiple-sourcetypes/m-p/253945#M48756 jwalzerpitt 2016-10-13T17:36:57Z