- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello,
I have a search that returns 3 columns of data allowing us to check the first logon of the day (or last logoff of the dat) for accounts. (see below). The issue is that when we go to Export to CSV when logged on as a limited access user, we only get the first 2 columns. So, we list Date, UserName, and Time, and in the export we only get Date and UserName. If we go in as the admin user we get all 3 columns correctly. I am not sure what permissions options would be required to add that extra column.
We currently use v4.1.3 but are planning to upgrade.
sourcetype=WinEventLog:Security eventtype=winlogon | bucket span=1h _time AS tb | convert timeformat="%d/%m/%Y" ctime(tb) AS Date | stats min(_time) AS mt by Date,User_Name | convert mktime(mt) | convert timeformat="%H:%M:%S" ctime(mt) AS "Logon Time" |dedup Date keepevents=t | fields - mt
Thanks for any thoughts on this !
Rhys
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
There are problems in 4.1.3 and earlier when you have field names that have a space in them and you perform an export from the Web GUI. (Bug SPL-30825)
It should have been fixed as of 4.1.4. Note the the outputcsv command is not subject to this problem. You should also be able to work around this by changing your column name "Logon Time" to "Logon_Time" (or "LogonTime" or whatever).
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
When I am doing export search using java sdk, I am missing columns when I running this query.
search sourcetype=sourcetype_1 OR (sourcetype=sourcetype_2 NOT (Session_Duration="Session Duration"))|rex field=sourcetype "(?
what gives ? I am using splunk 6.1.1
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I can now confirm that adding an "_" in the column name (removing the blank space) resolves the problem. Thanks gkanapathy.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yes, thats correct, all columns are visible on screen. This is only a problem for the limited access user when using the Action / Export feature in the WEB GUI. I'll try the suggestion below regarding spaces in the field name and see if that helps. Thankyou.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
There are problems in 4.1.3 and earlier when you have field names that have a space in them and you perform an export from the Web GUI. (Bug SPL-30825)
It should have been fixed as of 4.1.4. Note the the outputcsv command is not subject to this problem. You should also be able to work around this by changing your column name "Logon Time" to "Logon_Time" (or "LogonTime" or whatever).
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I am actually going to be away for a few weeks so I'll have to give this a go when I return. THankyou for the feedback !
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Can't blame you. It's a bug.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thankyou. I'll give that a try. Didn't occur to me to look at spaces in the names ! Thanks again.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Just to clarify - when the limited access user runs the query interactively, are all of the columns available? They're only missing when you actually do the export?
