- Splunk Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- How do I exclude service accounts that match the c...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How do I exclude service accounts that match the computer name in search results?
I have not been successful in building a search query that excludes results of a service account that matches the computer name. As an example, we have Server_ABC and it has an account called Server_ABC$. I only want to display results for User Names(Service accounts) that do not match the local computer name. If the service account Server_ABC$ tries to log into Server_ZYX, Server_DEF, and Server_ABC, I just want to see the entries for Server_ZYX and Server_DEF.
I have read the posts below, but they do not provide the results I am looking for.
https://answers.splunk.com/answers/387055/how-to-exclude-computer-account-name-from-results.html
https://answers.splunk.com/answers/93488/how-to-use-lookup-to-exclude-a-list-of-user-names-and-servi...
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This run anywhere example shows one possibility:
| makeresults
| eval host="Server_ABC", user="Server_ABC$"
| rex field=user "(?<userminusdollar>.*)\$$"
| where host!=userminusdollar
The key to the above search is that the where command can compare two fields, whereas the search command can not.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Splunk error: Error in 'makeresults' command: This command must be the first command of a search.
Below is what I tried.
sourcetype="windowseventlog:security"
| makeresults
| eval host="Server_ABC", user="Server_ABC$"
| rex field=user "(?.*)\$$"
| where host!=userminusdollar
When I remove the first line which contains the source, I get "No results found." I'm not sure why I need to have "makeresults" be the first command of a search, when you need to have a source for the data to be searched first.
makeresults
| eval host="Server_ABC", user="Server_ABC$"
| rex field=user "(?.*)\$$"
| where host!=userminusdollar
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
My search was intended to be run by itself, not as part of another search. To try it with your data instead try this:
sourcetype=windowseventlog:security
| rex field=user "(?<userminusdollar>.*)\$$"
| where host!=userminusdollar
The above assumes that the username is in a field called user.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Please share your search query
.conf24 | Registration Open!
ICYMI - Check out the latest releases of Splunk Edge Processor
Introducing the 2024 SplunkTrust!
