Alerting

Why is there a null field appended to a username in my Alerts.

splunktrainingu
Communicator

This is my search query for my alert.

index=test EventCode=4625 | eval Account_Name=mvindex(Account_Name, -1) | search NOT Account_Name="BENQ$" NOT Account_Name="-" | stats count by Account_Name
| where count >= 2

So the alert will trigger if a person fails to login 2 times or more. The PDF shows a the username (johnsmithnull) but when opening it in the table it shows johnsmith and the count of how many times. Is Johnsmithnull a title the gets appended by splunk?

Labels (1)
0 Karma
1 Solution

splunktrainingu
Communicator

As richgalloway stated: "Splunk's PDF generator has its quirks. Consider putting the results inline instead of as an attachment (or both)."
he recommended using the inline result

View solution in original post

0 Karma

splunktrainingu
Communicator

As richgalloway stated: "Splunk's PDF generator has its quirks. Consider putting the results inline instead of as an attachment (or both)."
he recommended using the inline result

0 Karma

richgalloway
SplunkTrust
SplunkTrust

Splunk's PDF generator has its quirks. Consider putting the results inline instead of as an attachment (or both).

---
If this reply helps you, Karma would be appreciated.

splunktrainingu
Communicator

I am going to run some tests then. But what is different about inline vs PDF?

0 Karma

richgalloway
SplunkTrust
SplunkTrust

Putting the results inline means recipients see the data in the body of the email, unadulterated by the PDf generator.

---
If this reply helps you, Karma would be appreciated.
0 Karma

splunktrainingu
Communicator

Thank you!

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...