I have not been successful in building a search query that excludes results of a service account that matches the computer name. As an example, we have Server_ABC and it has an account called Server_ABC$. I only want to display results for User Names(Service accounts) that do not match the local computer name. If the service account Server_ABC$ tries to log into Server_ZYX, Server_DEF, and Server_ABC, I just want to see the entries for Server_ZYX and Server_DEF.
I have read the posts below, but they do not provide the results I am looking for.
https://answers.splunk.com/answers/387055/how-to-exclude-computer-account-name-from-results.html
https://answers.splunk.com/answers/93488/how-to-use-lookup-to-exclude-a-list-of-user-names-and-servi...
This run anywhere example shows one possibility:
| makeresults
| eval host="Server_ABC", user="Server_ABC$"
| rex field=user "(?<userminusdollar>.*)\$$"
| where host!=userminusdollar
The key to the above search is that the where
command can compare two fields, whereas the search
command can not.
Splunk error: Error in 'makeresults' command: This command must be the first command of a search.
Below is what I tried.
sourcetype="windowseventlog:security"
| makeresults
| eval host="Server_ABC", user="Server_ABC$"
| rex field=user "(?.*)\$$"
| where host!=userminusdollar
When I remove the first line which contains the source, I get "No results found." I'm not sure why I need to have "makeresults" be the first command of a search, when you need to have a source for the data to be searched first.
makeresults
| eval host="Server_ABC", user="Server_ABC$"
| rex field=user "(?.*)\$$"
| where host!=userminusdollar
My search was intended to be run by itself, not as part of another search. To try it with your data instead try this:
sourcetype=windowseventlog:security
| rex field=user "(?<userminusdollar>.*)\$$"
| where host!=userminusdollar
The above assumes that the username is in a field called user
.
Please share your search query