Getting Data In

How do I exclude service accounts that match the computer name in search results?

RedHonda03
Explorer

I have not been successful in building a search query that excludes results of a service account that matches the computer name. As an example, we have Server_ABC and it has an account called Server_ABC$. I only want to display results for User Names(Service accounts) that do not match the local computer name. If the service account Server_ABC$ tries to log into Server_ZYX, Server_DEF, and Server_ABC, I just want to see the entries for Server_ZYX and Server_DEF.

I have read the posts below, but they do not provide the results I am looking for.

https://answers.splunk.com/answers/387055/how-to-exclude-computer-account-name-from-results.html
https://answers.splunk.com/answers/93488/how-to-use-lookup-to-exclude-a-list-of-user-names-and-servi...

0 Karma

micahkemp
Champion

This run anywhere example shows one possibility:

| makeresults 
| eval host="Server_ABC", user="Server_ABC$" 
| rex field=user "(?<userminusdollar>.*)\$$" 
| where host!=userminusdollar

The key to the above search is that the where command can compare two fields, whereas the search command can not.

0 Karma

RedHonda03
Explorer

Splunk error: Error in 'makeresults' command: This command must be the first command of a search.

Below is what I tried.

sourcetype="windowseventlog:security"
| makeresults
| eval host="Server_ABC", user="Server_ABC$"
| rex field=user "(?.*)\$$"
| where host!=userminusdollar

When I remove the first line which contains the source, I get "No results found." I'm not sure why I need to have "makeresults" be the first command of a search, when you need to have a source for the data to be searched first.

makeresults
| eval host="Server_ABC", user="Server_ABC$"
| rex field=user "(?.*)\$$"
| where host!=userminusdollar

0 Karma

micahkemp
Champion

My search was intended to be run by itself, not as part of another search. To try it with your data instead try this:

sourcetype=windowseventlog:security
| rex field=user "(?<userminusdollar>.*)\$$" 
| where host!=userminusdollar

The above assumes that the username is in a field called user.

0 Karma

naidusadanala
Communicator

Please share your search query

0 Karma
Get Updates on the Splunk Community!

Splunk Forwarders and Forced Time Based Load Balancing

Splunk customers use universal forwarders to collect and send data to Splunk. A universal forwarder can send ...

NEW! Log Views in Splunk Observability Dashboards Gives Context From a Single Page

Today, Splunk Observability releases log views, a new feature for users to add their logs data from Splunk Log ...

Last Chance to Submit Your Paper For BSides Splunk - Deadline is August 12th!

Hello everyone! Don't wait to submit - The deadline is August 12th! We have truly missed the community so ...