topic Re: problem with hyphen in field values in Monitoring Splunk

problem with hyphen in field values

paulw10 — Mon, 16 Nov 2020 19:02:06 GMT

I am trying to create an alert to track failed login events on windows machines

e.g.

index=fa_servers EventCode=4625 OR 533 OR 529

but I have a problem where the account name in the event has a hyphen. Splunk is treating the hyphen as another account name

Values

Count	%
-	87	100%
OMGHCLPP-ADS002$	46	52.874%
ALPHCLPP-ADS002$	41	47.126%

you can see the 87 count is 46+41 so its treating the hyphen as its own value.

I have been trying to use eval and mvindex to try and just extract the 2 usernames but i am not getting anywhere. can someone explain how i can properly parse these values so it only sees 2 account names

Re: problem with hyphen in field values

ITWhisperer — Mon, 16 Nov 2020 19:08:00 GMT

Can you share the query you used to get these results and some sample events?

Re: problem with hyphen in field values

paulw10 — Mon, 16 Nov 2020 21:05:06 GMT

it's ok I managed to find the problem. i Was not digging far enough into the RAW events and in actual fact the events mentioned Account_name twice with the second value showing as - so Splunk naturally recorded two account names for the events.