topic Re: How can I filter different values from the same field ? in Splunk Search

How can I filter different values from the same field ?

pgadhari — Thu, 27 Dec 2018 08:25:03 GMT

Hi Experts,

I have a field called "Login" in my events, which has various types of values such as "1111@domain1.com", "temp-username@domain1.com, "security@domain1.com", "serviceaccounts@domain1.com".

Now, here I want to create 2 panels, wherein in one panel, it would show only the actual users count considering ( 1111, temp-*, & *security* ) — this would show only users, while the second panel would show only serviceaccounts, which are used by services. This way I can display actual users and service accounts in our application.

Please help me figure out how to achieve this.

Regards
PG

Re: How can I filter different values from the same field ?

whrg — Thu, 27 Dec 2018 08:40:57 GMT

How do you differentiate between user accounts and service accounts? Do all service accounts start with "serviceaccounts@"?

Re: How can I filter different values from the same field ?

pgadhari — Thu, 27 Dec 2018 08:50:34 GMT

No, every service account will have the name as "oracleapp@domain1.com", "oracledb@domain1.com" etc.. based on specific applications for which the account is created. Actually the logic would be like - if I filter "1111", "temp-" & "security" from that Login field, I should be able to differentiate between those accounts, but I am finding little bit difficult to do that filtering on a single field. Appreciate if you can help in this ? Thanks.

Re: How can I filter different values from the same field ?

whrg — Thu, 27 Dec 2018 09:40:32 GMT

Since you want 2 separate panels (perhaps single value panels), this could be your search for actual user accounts:

| your base search
| search Login="1111@*" OR Login="temp-username@*" OR Login="security@*"
| stats dc(Login) as User_Accounts

The search for service accounts is just negated:

| your base search
| search Login!="1111@*" Login!="temp-username@*" Login!="security@*"
| stats dc(Login) as Service_Accounts

Re: How can I filter different values from the same field ?

pgadhari — Thu, 27 Dec 2018 09:49:30 GMT

Actually, "1111" is just an example I have given. This value consists of all the empid of 3000 employees (which is between 1 to 4 digits), I want to filter all those values that start with dddd@domain1.com, rest "temp-*" and security value I can filter. The only challenge is I want to filter "1111", "2222", "22","333" and so on. There I am facing the challenge. Please help.

Re: How can I filter different values from the same field ?

whrg — Tue, 29 Sep 2020 22:32:29 GMT

How about this?

| your base search
| eval Is_User_Account=if(match(Login,"^\d{1,4}@") OR match(Login,"^temp-") OR match(Login,"^security"),"yes","no")
| search Is_User_Account="yes"
| stats dc(Login) as User_Accounts

search Is_User_Account="no" for service accounts.

Re: How can I filter different values from the same field ?

pgadhari — Thu, 27 Dec 2018 11:06:17 GMT

Actually, this query will show the count, but I want to show the usernames also in the table, as to who are normal user accounts and who are service accounts. This I will be showing in a table with giving 2 radio button like - Normal Account Service Accounts:

So if the person, select Normal Account radio button, all those shud be listed and if the person selects "Generic Account" radio button, all generic accounts should be displayed. Please help in that regards ? Thanks.

Re: How can I filter different values from the same field ?

pgadhari — Thu, 27 Dec 2018 12:41:54 GMT

Hi whrg.. can you please reply on my latest comment ? Actually I need to resolve this issue at the earliest please. Thanks.

Re: How can I filter different values from the same field ?

whrg — Thu, 27 Dec 2018 16:26:26 GMT

If you want a table of all accounts along with their respective status, then try this:

| your base search
| dedup Login
| eval Is_User_Account=if(match(Login,"^\d{1,4}@") OR match(Login,"^temp-") OR match(Login,"^security"),"yes","no")
| table Login,Is_User_Account

You can filter for the type of account via a token, which is set by a radio button, after the eval command.

Re: How can I filter different values from the same field ?

pgadhari — Fri, 28 Dec 2018 18:11:47 GMT

Ya this is working great. But I just figured out that, this field "Login" which I am using is having only email ids (xxxx@domain1.com), it is not showing the Name of the person, instead it is showing empid, temp-*, & service accounts emails.

Actually, there is another field called displayname - which actually shows the first name and last name of that particular emails returning in above query - which is the actual field which I want to show in the dropdown - so that any person can look for the usernames instead of their email-ids. If I use this above query, it will show 1111@domain1.com, temp-personname@domain1.com and so on, but I want to show the Names of the employees in the dropdown. Please let me now how can i do that ? I mean how I can map the field with the field. Please help ? Thanks.

Re: How can I filter different values from the same field ?

pgadhari — Sat, 29 Dec 2018 09:33:57 GMT

One more thing in the search below, ^security is showing only small case, it is not showing - "Security" or "SECURITY" in the search, I mean it is case sensitive, how can I make it case insensitive, also can I use * sign instead of ^, so that I get all combinations of security keyword - "match(Login,"security"),"yes","no"). Please help ?

 your base search
 | dedup Login
 | eval Is_User_Account=if(match(Login,"^\d{1,4}@") OR match(Login,"^temp-") OR match(Login,"^security"),"yes","no")
 | table Login,Is_User_Account

Re: How can I filter different values from the same field ?

whrg — Mon, 31 Dec 2018 17:37:05 GMT

Hello @pgadhari,
Check out this dashboard.
lower() converts a string to lower case.
match() is for matching a regex. The ^ refers to the start of the line. You could also use like() instead.

<form>
  <label>Users</label>
  <fieldset submitButton="false">
    <input type="dropdown" token="displayname">
      <label>displayname</label>
      <choice value="*">All</choice>
      <default>*</default>
      <prefix>displayname="</prefix>
      <suffix>"</suffix>
      <fieldForLabel>displayname</fieldForLabel>
      <fieldForValue>displayname</fieldForValue>
      <search>
        <query>index=... source=... | stats count by displayname</query>
        <earliest>$time.earliest$</earliest>
        <latest>$time.latest$</latest>
      </search>
    </input>
    <input type="time" token="time">
      <label></label>
      <default>
        <earliest>-24h@h</earliest>
        <latest>now</latest>
      </default>
    </input>
  </fieldset>
  <row>
    <panel>
      <table>
        <search>
          <query>index=... source=... $displayname$
| eval Is_User_Account=if(match(Login,"^\d{1,4}@") OR match(lower(Login),"^temp-") OR match(lower(Login),"security"),"yes","no")
| table Login,displayname,Is_User_Account
| sort Login</query>
          <earliest>$time.earliest$</earliest>
          <latest>$time.latest$</latest>
        </search>
        <option name="count">10</option>
        <option name="drilldown">none</option>
        <option name="refresh.display">progressbar</option>
      </table>
    </panel>
  </row>
</form>

Re: How can I filter different values from the same field ?

woodcock — Tue, 01 Jan 2019 22:10:59 GMT

You need to create a users.csv or a serviceaccounts.csv file and create a lookup table with it. Then you can do a search like:

index=YouShouldAlwaysSpecifyAnIndex AND sourcetype=AndSourcetypeToo AND NOT (|inputlookup serviceaccounts.csv | table Login)

Re: How can I filter different values from the same field ?

mstjohn_splunk — Mon, 07 Jan 2019 21:34:58 GMT

hi @pgadhari,

Did you get a chance to try @woodcock 's solution? If it worked, please resolve this post by approving it! If your problem is still not solved, keep us updated so that someone else can help ya.

Thanks for posting!

Re: How can I filter different values from the same field ?

pgadhari — Wed, 09 Jan 2019 06:10:58 GMT

Actually creating users.csv and serviceaccounts.csv will be tedious task for me, as these are employees and consultants which is a long list. Hence, this solution does not fit my requirements. But thank you @woodcock for your valuable inputs.

Re: How can I filter different values from the same field ?

pgadhari — Wed, 09 Jan 2019 06:13:05 GMT

But still, I will upvote @woodcock solution, as for someone that will be definitely helpful. 🙂