https://community.splunk.com/t5/Splunk-Search/How-to-exclude-computer-account-name-from-results/m-p/269228#M80970 <P>running both search as result I obtained</P> <P>Domain controller computer account <BR /> user name</P> <P>domainctrl1$<BR /> j.doe</P> <P>domainctrl2$<BR /> s.brown</P> <P>domainctrl1$<BR /> j.smith</P> <P>I am looking just for the list of the user name</P> <P>j.doe<BR /> s.brown<BR /> j.smith</P> Wed, 30 Mar 2016 14:09:56 GMT arkonner 2016-03-30T14:09:56Z https://community.splunk.com/t5/Splunk-Search/How-to-exclude-computer-account-name-from-results/m-p/269225#M80967 <P>I am running a very simple search to determine accounts locked out:</P> <PRE><CODE>server01 OR server02 OR server03 OR server04 EventCode=4740 Security_ID="*" Account_Name="*" | Table Account_Name _time </CODE></PRE> <P>In the results as Account_Name I would like to exclude the computer account name (Server01$.....) considering that the user account name is related to the computer account name. </P> Tue, 29 Mar 2016 08:29:48 GMT https://community.splunk.com/t5/Splunk-Search/How-to-exclude-computer-account-name-from-results/m-p/269225#M80967 arkonner 2016-03-29T08:29:48Z https://community.splunk.com/t5/Splunk-Search/How-to-exclude-computer-account-name-from-results/m-p/269226#M80968 <P>You can use the where command for that:</P> <PRE><CODE>server01 OR server02 OR server03 OR server04 EventCode=4740 Security_ID="" Account_Name="" | where NOT Account_Name=Computer_Name | Table Account_Name _time </CODE></PRE> <P>Or even an eval:</P> <PRE><CODE>server01 OR server02 OR server03 OR server04 EventCode=4740 Security_ID="" Account_Name="" | eval Same = if(match(Account_Name,Computer_Name),1,0) | search Same = 0 | Table Account_Name _time </CODE></PRE> Tue, 29 Mar 2016 14:28:32 GMT https://community.splunk.com/t5/Splunk-Search/How-to-exclude-computer-account-name-from-results/m-p/269226#M80968 javiergn 2016-03-29T14:28:32Z https://community.splunk.com/t5/Splunk-Search/How-to-exclude-computer-account-name-from-results/m-p/269227#M80969 <P>try this? a mix of rex and fields trickery</P> <PRE><CODE>server01 OR server02 OR server03 OR server04 EventCode=4740 Security_ID="" Account_Name="" | Table Account_Name _time | rex field=Account_Name "(?&lt;user&gt;\$\w+)" | fields - Account_Name </CODE></PRE> <P>This output should give you a new field called User and Omit the Server## </P> Tue, 29 Mar 2016 15:01:56 GMT https://community.splunk.com/t5/Splunk-Search/How-to-exclude-computer-account-name-from-results/m-p/269227#M80969 peauxdunk 2016-03-29T15:01:56Z https://community.splunk.com/t5/Splunk-Search/How-to-exclude-computer-account-name-from-results/m-p/269228#M80970 <P>running both search as result I obtained</P> <P>Domain controller computer account <BR /> user name</P> <P>domainctrl1$<BR /> j.doe</P> <P>domainctrl2$<BR /> s.brown</P> <P>domainctrl1$<BR /> j.smith</P> <P>I am looking just for the list of the user name</P> <P>j.doe<BR /> s.brown<BR /> j.smith</P> Wed, 30 Mar 2016 14:09:56 GMT https://community.splunk.com/t5/Splunk-Search/How-to-exclude-computer-account-name-from-results/m-p/269228#M80970 arkonner 2016-03-30T14:09:56Z https://community.splunk.com/t5/Splunk-Search/How-to-exclude-computer-account-name-from-results/m-p/269229#M80971 <P>Hi, I'm not sure what you mean but if you just need the list of usernames then simply pipe the last line in your query to fields or table followed by the field name you want to display, you can even remove duplicates with dedup. For instance:</P> <PRE><CODE>your search here | dedup UserName | table UserName </CODE></PRE> <P>If that's not what you are looking for then it might be easier if you paste your query here.</P> Fri, 01 Apr 2016 09:31:07 GMT https://community.splunk.com/t5/Splunk-Search/How-to-exclude-computer-account-name-from-results/m-p/269229#M80971 javiergn 2016-04-01T09:31:07Z https://community.splunk.com/t5/Splunk-Search/How-to-exclude-computer-account-name-from-results/m-p/269230#M80972 <P>How about?</P> <PRE><CODE>server01 OR server02 OR server03 OR server04 EventCode=4740 Security_ID="*" Account_Name!="*Server01$*"| stats values(Account_Name) as List | mvexpand List </CODE></PRE> Fri, 01 Apr 2016 13:31:26 GMT https://community.splunk.com/t5/Splunk-Search/How-to-exclude-computer-account-name-from-results/m-p/269230#M80972 Stevelim 2016-04-01T13:31:26Z https://community.splunk.com/t5/Splunk-Search/How-to-exclude-computer-account-name-from-results/m-p/269231#M80973 <P>@Stevelim I've been looking for this answer for 2 days now. You saved me!!! Thank you!</P> Mon, 17 Dec 2018 20:29:31 GMT https://community.splunk.com/t5/Splunk-Search/How-to-exclude-computer-account-name-from-results/m-p/269231#M80973 tecooper 2018-12-17T20:29:31Z https://community.splunk.com/t5/Splunk-Search/How-to-exclude-computer-account-name-from-results/m-p/269232#M80974 <P>Great to hear!</P> Fri, 21 Dec 2018 00:31:08 GMT https://community.splunk.com/t5/Splunk-Search/How-to-exclude-computer-account-name-from-results/m-p/269232#M80974 Stevelim 2018-12-21T00:31:08Z https://community.splunk.com/t5/Splunk-Search/How-to-exclude-computer-account-name-from-results/m-p/269233#M80975 <P>Like this:</P> <PRE><CODE>index=YouShouldAlwaysSpecifyAnIndex sourcetype=AndSourcetypeToo (server01 OR server02 OR server03 OR server04) EventCode=4740 Security_ID="*" Account_Name!="*$" </CODE></PRE> Fri, 21 Dec 2018 00:38:23 GMT https://community.splunk.com/t5/Splunk-Search/How-to-exclude-computer-account-name-from-results/m-p/269233#M80975 woodcock 2018-12-21T00:38:23Z https://community.splunk.com/t5/Splunk-Search/How-to-exclude-computer-account-name-from-results/m-p/269234#M80976 <P>Reviving this as I am seeking an answer to the same issue and have yet to be able to find it.</P> <P>What arkonner was saying is that they don't want the computer accounts to show in the results. I am trying to do the same but simply ignoring values that end in "$" is sloppy and could potentially hide valid results.</P> <P>This search highlights the issue, I do not want to display results where the user matches any Workstation_Name appended with "$". The only way to make this work that I can think of is to build an array of Workstation_Name values and elminate users that match any value in the array... but I'm relatively new to Splunk and don't know how to do that yet.</P> <P>index=wineventlog sourcetype="wineventlog:security" src_ip= | stats count by Workstation_Name user</P> Tue, 29 Sep 2020 23:27:00 GMT https://community.splunk.com/t5/Splunk-Search/How-to-exclude-computer-account-name-from-results/m-p/269234#M80976 sicknss 2020-09-29T23:27:00Z https://community.splunk.com/t5/Splunk-Search/How-to-exclude-computer-account-name-from-results/m-p/528321#M149169 <P>I like Woodcocks reply, the component below was most valuable for eliminating computer account names</P><PRE>Account_Name!="*$"</PRE><P>&nbsp;</P> Fri, 06 Nov 2020 13:10:34 GMT https://community.splunk.com/t5/Splunk-Search/How-to-exclude-computer-account-name-from-results/m-p/528321#M149169 lazer 2020-11-06T13:10:34Z