How do I filter out values if they appear twice

jneg2000us — Wed, 08 Aug 2012 22:03:52 GMT

I have this data from Windows security logs and in the message section you have 2 version of the account name: I am only interested in the value of the second account string but I get both when putting into a table. In this result set, Account Name is used in both the subject and the Account is locked section of the Message value;

If my search is:
sourcetype=WinEventLog:Security EventCode=4740 ComputerName="AD*" |table _time Account_Name Caller_Computer_Name
I get both account names;

08/08/2012 03:32:32 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4740
EventType=0
Type=Information
ComputerName=xxxx.xyz.com
TaskCategory=User Account Management
OpCode=Info
RecordNumber=5886400217
Keywords=Audit Success
Message=A user account was locked out.

Subject:
Security ID: S-1-5-18
Account Name: ADSERVER3$
Account Domain: MYDOMIAN
Logon ID: 0x3e7

Account That Was Locked Out:
Security ID: S-1-5-21-2108891353-1649483382-1341851483-2087
Account Name: mraccount

Additional Information:
Caller Computer Name: MAILSERVER

Re: How do I filter out values if they appear twice

yannK — Wed, 08 Aug 2012 22:40:05 GMT

Use multivalue fields and extract the one you want using mvindex.

see http://docs.splunk.com/Documentation/Splunk/4.3.3/User/ParseFieldsWithMultipleValues

Re: How do I filter out values if they appear twice

jneg2000us — Thu, 09 Aug 2012 13:33:42 GMT

awesome.. thanks worked

topic Re: How do I filter out values if they appear twice in Getting Data In

How do I filter out values if they appear twice

Re: How do I filter out values if they appear twice

Re: How do I filter out values if they appear twice