https://community.splunk.com/t5/Splunk-Search/How-to-exclude-duplicate-field-values-from-different-fields/m-p/298587#M90005 <P>Hi All,</P> <P>I am writing a search string for Windows, which should return events where a privileged user (Source_User) has added a non-privileged (Target_User) user to a privileged group, or has assigned new privileges to this account.</P> <P>When running my search, I am receiving a number of events where the Source_User and Target_User values are the same (E.g. Privileges assigned at logon for a service account).</P> <P>I would like to remove duplicate values from my search (I.e. Source_User!=Target_User). I have attempted what I'd consider to be the usual suspects (listed below), but am getting no where.</P> <PRE><CODE>| where Source_User!=Target_User | search Source_User!=Target_User </CODE></PRE> <P>Can anyone suggest other ways to do this?</P> Tue, 29 Sep 2020 17:35:20 GMT MikeElliott 2020-09-29T17:35:20Z https://community.splunk.com/t5/Splunk-Search/How-to-exclude-duplicate-field-values-from-different-fields/m-p/298587#M90005 <P>Hi All,</P> <P>I am writing a search string for Windows, which should return events where a privileged user (Source_User) has added a non-privileged (Target_User) user to a privileged group, or has assigned new privileges to this account.</P> <P>When running my search, I am receiving a number of events where the Source_User and Target_User values are the same (E.g. Privileges assigned at logon for a service account).</P> <P>I would like to remove duplicate values from my search (I.e. Source_User!=Target_User). I have attempted what I'd consider to be the usual suspects (listed below), but am getting no where.</P> <PRE><CODE>| where Source_User!=Target_User | search Source_User!=Target_User </CODE></PRE> <P>Can anyone suggest other ways to do this?</P> Tue, 29 Sep 2020 17:35:20 GMT https://community.splunk.com/t5/Splunk-Search/How-to-exclude-duplicate-field-values-from-different-fields/m-p/298587#M90005 MikeElliott 2020-09-29T17:35:20Z https://community.splunk.com/t5/Splunk-Search/How-to-exclude-duplicate-field-values-from-different-fields/m-p/298588#M90006 <P><CODE>| where Source_User!=Target_User</CODE> should work, as shown by this run-anywhere search:</P> <PRE><CODE>| makeresults | eval Source_User="user1", Target_User="user1" | append [| makeresults | eval Source_User="user1", Target_User="user2"] | where Source_User!=Target_User </CODE></PRE> <P>Can you include some sample data that doesn't work as expected?</P> Tue, 09 Jan 2018 04:15:00 GMT https://community.splunk.com/t5/Splunk-Search/How-to-exclude-duplicate-field-values-from-different-fields/m-p/298588#M90006 micahkemp 2018-01-09T04:15:00Z https://community.splunk.com/t5/Splunk-Search/How-to-exclude-duplicate-field-values-from-different-fields/m-p/298589#M90007 <P>hey</P> <P>I think there might be a problem of case sensitivity.</P> <PRE><CODE>&lt;your_base_query&gt;| eval Source_User=lower(Source_User) | eval Target_User=lower(Target_User) | where Source_User!=Target_User </CODE></PRE> <P>I hope that helps !</P> Tue, 09 Jan 2018 04:36:51 GMT https://community.splunk.com/t5/Splunk-Search/How-to-exclude-duplicate-field-values-from-different-fields/m-p/298589#M90007 mayurr98 2018-01-09T04:36:51Z https://community.splunk.com/t5/Splunk-Search/How-to-exclude-duplicate-field-values-from-different-fields/m-p/298590#M90008 <P>Hi mayurr98,</P> <P>Thank you for your help. Unfortunately, when adding your suggestions to the search, all results have been excluded.</P> <P>I tried renaming the fields to use lower case characters and then using the |where command, but still, all results were excluded.</P> Tue, 09 Jan 2018 05:16:19 GMT https://community.splunk.com/t5/Splunk-Search/How-to-exclude-duplicate-field-values-from-different-fields/m-p/298590#M90008 MikeElliott 2018-01-09T05:16:19Z https://community.splunk.com/t5/Splunk-Search/How-to-exclude-duplicate-field-values-from-different-fields/m-p/298591#M90009 <P>Are the Source_User and Target_User values exact matches? Does one field use <CODE>domain\user</CODE> and the other just <CODE>user</CODE>, for instance?</P> Tue, 29 Sep 2020 17:31:12 GMT https://community.splunk.com/t5/Splunk-Search/How-to-exclude-duplicate-field-values-from-different-fields/m-p/298591#M90009 micahkemp 2020-09-29T17:31:12Z https://community.splunk.com/t5/Splunk-Search/How-to-exclude-duplicate-field-values-from-different-fields/m-p/298592#M90010 <P>Hi miachkemp,</P> <P>Many thanks for your suggestion. I have included example data below.</P> <PRE><CODE>Source_User Target_User Admin_001 Admin_001 Admin_001 Admin_001 Admin_001 User_001 Admin_002 User_002 Admin_001 User_003 svc_account svc_account Admin_003 User_004 User_004 some_account </CODE></PRE> <P>I would like to be able to exclude events where there is a duplicate account under "Source User" and "Target User" headings.</P> Tue, 09 Jan 2018 05:23:13 GMT https://community.splunk.com/t5/Splunk-Search/How-to-exclude-duplicate-field-values-from-different-fields/m-p/298592#M90010 MikeElliott 2018-01-09T05:23:13Z https://community.splunk.com/t5/Splunk-Search/How-to-exclude-duplicate-field-values-from-different-fields/m-p/298593#M90011 <P>Is this a single event with multiple values per field? Or is each line above a separate event?</P> Tue, 09 Jan 2018 05:24:24 GMT https://community.splunk.com/t5/Splunk-Search/How-to-exclude-duplicate-field-values-from-different-fields/m-p/298593#M90011 micahkemp 2018-01-09T05:24:24Z https://community.splunk.com/t5/Splunk-Search/How-to-exclude-duplicate-field-values-from-different-fields/m-p/298594#M90012 <P>Hi MikeElliott,</P> <P>could you please share what search you are running with some sample data?</P> Tue, 09 Jan 2018 05:27:53 GMT https://community.splunk.com/t5/Splunk-Search/How-to-exclude-duplicate-field-values-from-different-fields/m-p/298594#M90012 p_gurav 2018-01-09T05:27:53Z https://community.splunk.com/t5/Splunk-Search/How-to-exclude-duplicate-field-values-from-different-fields/m-p/298595#M90013 <P>Yes, the field values are exact matches - Just the usernames. <CODE>domain\user</CODE> comes under a different field in this index.</P> Tue, 09 Jan 2018 05:33:59 GMT https://community.splunk.com/t5/Splunk-Search/How-to-exclude-duplicate-field-values-from-different-fields/m-p/298595#M90013 MikeElliott 2018-01-09T05:33:59Z https://community.splunk.com/t5/Splunk-Search/How-to-exclude-duplicate-field-values-from-different-fields/m-p/298596#M90014 <P>Also can you share output table wrt input table that you have given?</P> Tue, 09 Jan 2018 05:35:38 GMT https://community.splunk.com/t5/Splunk-Search/How-to-exclude-duplicate-field-values-from-different-fields/m-p/298596#M90014 mayurr98 2018-01-09T05:35:38Z https://community.splunk.com/t5/Splunk-Search/How-to-exclude-duplicate-field-values-from-different-fields/m-p/298597#M90015 <P>It seems likely that you have run a search like:</P> <PRE><CODE>&lt;search&gt; | stats values(Source_User) AS Source_User, values(Target_User) AS Target_User | where Source_User!=Target_User </CODE></PRE> <P>If this is the case, try this instead:</P> <PRE><CODE>&lt;search&gt; | where Source_User!=Target_User | stats values(Source_User) AS Source_User, values(Target_User) AS Target_User </CODE></PRE> <P>You are comparing a single event's Source_User and Target_User field, so you need to make sure you perform that comparison prior to running a reporting command.</P> Tue, 29 Sep 2020 17:31:15 GMT https://community.splunk.com/t5/Splunk-Search/How-to-exclude-duplicate-field-values-from-different-fields/m-p/298597#M90015 micahkemp 2020-09-29T17:31:15Z https://community.splunk.com/t5/Splunk-Search/How-to-exclude-duplicate-field-values-from-different-fields/m-p/298598#M90016 <P>Hi micahkemp,</P> <P>Apologies for leaving this so late, but after tweaking my search slightly, I found that your solution was the one for me!</P> <P>Thank you!</P> Tue, 13 Mar 2018 17:17:23 GMT https://community.splunk.com/t5/Splunk-Search/How-to-exclude-duplicate-field-values-from-different-fields/m-p/298598#M90016 MikeElliott 2018-03-13T17:17:23Z