Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

How do I filter out values if they appear twice

jneg2000us
New Member
‎08-08-2012 03:03 PM

I have this data from Windows security logs and in the message section you have 2 version of the account name: I am only interested in the value of the second account string but I get both when putting into a table. In this result set, Account Name is used in both the subject and the Account is locked section of the Message value;

If my search is:
sourcetype=WinEventLog:Security EventCode=4740 ComputerName="AD*" |table _time Account_Name Caller_Computer_Name
I get both account names;

08/08/2012 03:32:32 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4740
EventType=0
Type=Information
ComputerName=xxxx.xyz.com
TaskCategory=User Account Management
OpCode=Info
RecordNumber=5886400217
Keywords=Audit Success
Message=A user account was locked out.

Subject:
Security ID: S-1-5-18
Account Name: ADSERVER3$
Account Domain: MYDOMIAN
Logon ID: 0x3e7

Account That Was Locked Out:
Security ID: S-1-5-21-2108891353-1649483382-1341851483-2087
Account Name: mraccount

Additional Information:
Caller Computer Name: MAILSERVER

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

yannK
Splunk Employee
Splunk Employee
‎08-08-2012 03:40 PM

Use multivalue fields and extract the one you want using mvindex.

see http://docs.splunk.com/Documentation/Splunk/4.3.3/User/ParseFieldsWithMultipleValues

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

yannK
Splunk Employee
Splunk Employee
‎08-08-2012 03:40 PM

Use multivalue fields and extract the one you want using mvindex.

see http://docs.splunk.com/Documentation/Splunk/4.3.3/User/ParseFieldsWithMultipleValues

0 Karma
Reply
Solved! Jump to solution

jneg2000us
New Member
‎08-09-2012 06:33 AM

awesome.. thanks worked

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Monitoring AI Agents with Splunk Observability Cloud

Let’s say I’m running a travel planning AI app in production. A user asks for three concise hotel options in ...

[Puzzles] Solve, Learn, Repeat: Tiling

This puzzle (first published here) is based on finding groups of tessellated tiles (inspired by floor tiles I ...

SOK it to Me: Top 3 Benefits of Using Splunk Operator on Kubernetes that’ll Make ...

    Thursday, July 9, 2026  |  11:00AM–12:00PM PDT Duration: 1 hour (includes Q&A) Managing can feel like a ...