https://community.splunk.com/t5/Getting-Data-In/How-do-I-exclude-service-accounts-that-match-the-computer-name/m-p/360167#M65680 <P>I have not been successful in building a search query that excludes results of a service account that matches the computer name. As an example, we have Server_ABC and it has an account called Server_ABC$. I only want to display results for User Names(Service accounts) that do not match the local computer name. If the service account Server_ABC$ tries to log into Server_ZYX, Server_DEF, and Server_ABC, I just want to see the entries for Server_ZYX and Server_DEF.</P> <P>I have read the posts below, but they do not provide the results I am looking for.</P> <P><A href="https://answers.splunk.com/answers/387055/how-to-exclude-computer-account-name-from-results.html" target="_blank">https://answers.splunk.com/answers/387055/how-to-exclude-computer-account-name-from-results.html</A><BR /> <A href="https://answers.splunk.com/answers/387055/how-to-exclude-computer-account-name-from-results.html" target="_blank">https://answers.splunk.com/answers/93488/how-to-use-lookup-to-exclude-a-list-of-user-names-and-service-file-names.html</A> </P> Tue, 29 Sep 2020 17:23:41 GMT RedHonda03 2020-09-29T17:23:41Z https://community.splunk.com/t5/Getting-Data-In/How-do-I-exclude-service-accounts-that-match-the-computer-name/m-p/360167#M65680 <P>I have not been successful in building a search query that excludes results of a service account that matches the computer name. As an example, we have Server_ABC and it has an account called Server_ABC$. I only want to display results for User Names(Service accounts) that do not match the local computer name. If the service account Server_ABC$ tries to log into Server_ZYX, Server_DEF, and Server_ABC, I just want to see the entries for Server_ZYX and Server_DEF.</P> <P>I have read the posts below, but they do not provide the results I am looking for.</P> <P><A href="https://answers.splunk.com/answers/387055/how-to-exclude-computer-account-name-from-results.html" target="_blank">https://answers.splunk.com/answers/387055/how-to-exclude-computer-account-name-from-results.html</A><BR /> <A href="https://answers.splunk.com/answers/387055/how-to-exclude-computer-account-name-from-results.html" target="_blank">https://answers.splunk.com/answers/93488/how-to-use-lookup-to-exclude-a-list-of-user-names-and-service-file-names.html</A> </P> Tue, 29 Sep 2020 17:23:41 GMT https://community.splunk.com/t5/Getting-Data-In/How-do-I-exclude-service-accounts-that-match-the-computer-name/m-p/360167#M65680 RedHonda03 2020-09-29T17:23:41Z https://community.splunk.com/t5/Getting-Data-In/How-do-I-exclude-service-accounts-that-match-the-computer-name/m-p/360168#M65681 <P>Please share your search query</P> Tue, 02 Jan 2018 16:46:43 GMT https://community.splunk.com/t5/Getting-Data-In/How-do-I-exclude-service-accounts-that-match-the-computer-name/m-p/360168#M65681 naidusadanala 2018-01-02T16:46:43Z https://community.splunk.com/t5/Getting-Data-In/How-do-I-exclude-service-accounts-that-match-the-computer-name/m-p/360169#M65682 <P>This run anywhere example shows one possibility:</P> <PRE><CODE>| makeresults | eval host="Server_ABC", user="Server_ABC$" | rex field=user "(?&lt;userminusdollar&gt;.*)\$$" | where host!=userminusdollar </CODE></PRE> <P>The key to the above search is that the <CODE>where</CODE> command can compare two fields, whereas the <CODE>search</CODE> command can not.</P> Tue, 02 Jan 2018 18:40:09 GMT https://community.splunk.com/t5/Getting-Data-In/How-do-I-exclude-service-accounts-that-match-the-computer-name/m-p/360169#M65682 micahkemp 2018-01-02T18:40:09Z https://community.splunk.com/t5/Getting-Data-In/How-do-I-exclude-service-accounts-that-match-the-computer-name/m-p/360170#M65683 <P>Splunk error: Error in 'makeresults' command: This command must be the first command of a search. </P> <P>Below is what I tried.</P> <P>sourcetype="windowseventlog:security"<BR /> | makeresults <BR /> | eval host="Server_ABC", user="Server_ABC$" <BR /> | rex field=user "(?.*)\$$" <BR /> | where host!=userminusdollar</P> <P>When I remove the first line which contains the source, I get "No results found." I'm not sure why I need to have "makeresults" be the first command of a search, when you need to have a source for the data to be searched first.</P> <P>makeresults <BR /> | eval host="Server_ABC", user="Server_ABC$" <BR /> | rex field=user "(?.*)\$$" <BR /> | where host!=userminusdollar</P> Tue, 29 Sep 2020 17:23:50 GMT https://community.splunk.com/t5/Getting-Data-In/How-do-I-exclude-service-accounts-that-match-the-computer-name/m-p/360170#M65683 RedHonda03 2020-09-29T17:23:50Z https://community.splunk.com/t5/Getting-Data-In/How-do-I-exclude-service-accounts-that-match-the-computer-name/m-p/360171#M65684 <P>My search was intended to be run by itself, not as part of another search. To try it with your data instead try this:</P> <PRE><CODE>sourcetype=windowseventlog:security | rex field=user "(?&lt;userminusdollar&gt;.*)\$$" | where host!=userminusdollar </CODE></PRE> <P>The above assumes that the username is in a field called <CODE>user</CODE>.</P> Tue, 02 Jan 2018 20:05:34 GMT https://community.splunk.com/t5/Getting-Data-In/How-do-I-exclude-service-accounts-that-match-the-computer-name/m-p/360171#M65684 micahkemp 2018-01-02T20:05:34Z