Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How do I exclude service accounts that match the computer name in search results?

RedHonda03
Explorer
‎01-02-2018 07:48 AM

I have not been successful in building a search query that excludes results of a service account that matches the computer name. As an example, we have Server_ABC and it has an account called Server_ABC$. I only want to display results for User Names(Service accounts) that do not match the local computer name. If the service account Server_ABC$ tries to log into Server_ZYX, Server_DEF, and Server_ABC, I just want to see the entries for Server_ZYX and Server_DEF.

I have read the posts below, but they do not provide the results I am looking for.

https://answers.splunk.com/answers/387055/how-to-exclude-computer-account-name-from-results.html
https://answers.splunk.com/answers/93488/how-to-use-lookup-to-exclude-a-list-of-user-names-and-servi...

0 Karma
Reply

micahkemp
Champion
‎01-02-2018 10:40 AM

This run anywhere example shows one possibility:

| makeresults 
| eval host="Server_ABC", user="Server_ABC$" 
| rex field=user "(?<userminusdollar>.*)\$$" 
| where host!=userminusdollar

The key to the above search is that the where command can compare two fields, whereas the search command can not.

0 Karma
Reply

RedHonda03
Explorer
‎01-02-2018 12:03 PM

Splunk error: Error in 'makeresults' command: This command must be the first command of a search.

Below is what I tried.

sourcetype="windowseventlog:security"
| makeresults
| eval host="Server_ABC", user="Server_ABC$"
| rex field=user "(?.*)\$$"
| where host!=userminusdollar

When I remove the first line which contains the source, I get "No results found." I'm not sure why I need to have "makeresults" be the first command of a search, when you need to have a source for the data to be searched first.

makeresults
| eval host="Server_ABC", user="Server_ABC$"
| rex field=user "(?.*)\$$"
| where host!=userminusdollar

0 Karma
Reply

micahkemp
Champion
‎01-02-2018 12:05 PM

My search was intended to be run by itself, not as part of another search. To try it with your data instead try this:

sourcetype=windowseventlog:security
| rex field=user "(?<userminusdollar>.*)\$$" 
| where host!=userminusdollar

The above assumes that the username is in a field called user.

0 Karma
Reply

naidusadanala
Communicator
‎01-02-2018 08:46 AM

Please share your search query

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Observability Synthetic Monitoring - Resolved Incident on Detector Alerts

We’ve discovered a bug that affected the auto-clear of Synthetic Detectors in the Splunk Synthetic Monitoring ...

Video | Tom’s Smartness Journey Continues

Remember Splunk Community member Tom Kopchak? If you caught the first episode of our Smartness interview ...

3-2-1 Go! How Fast Can You Debug Microservices with Observability Cloud?

3-2-1 Go! How Fast Can You Debug Microservices with Observability Cloud? Learn how unique features like ...