This is my search query for my alert.
index=test EventCode=4625 | eval Account_Name=mvindex(Account_Name, -1) | search NOT Account_Name="BENQ$" NOT Account_Name="-" | stats count by Account_Name
| where count >= 2
So the alert will trigger if a person fails to login 2 times or more. The PDF shows a the username (johnsmithnull) but when opening it in the table it shows johnsmith and the count of how many times. Is Johnsmithnull a title the gets appended by splunk?
As richgalloway stated: "Splunk's PDF generator has its quirks. Consider putting the results inline instead of as an attachment (or both)."
he recommended using the inline result
As richgalloway stated: "Splunk's PDF generator has its quirks. Consider putting the results inline instead of as an attachment (or both)."
he recommended using the inline result
Splunk's PDF generator has its quirks. Consider putting the results inline instead of as an attachment (or both).
I am going to run some tests then. But what is different about inline vs PDF?
Putting the results inline means recipients see the data in the body of the email, unadulterated by the PDf generator.
Thank you!