Getting Data In

Normalize user fields across multiple sourcetypes

jwalzerpitt
Influencer

I have three different sourcetypes in which each user field is labeled differently: TargetUserName, User, sremote_userid

I would like to normalize the user fields so I could search just one field (myuser) for failed logins across all three sourcetypes.

I created a field alias called 'myuser' that contains the three field aliases (TargetUserName=myuser, User=TargetUserName, sremote_userid=myuser). I assume I know have to create three different eventtypes, one failed login eventtype for each sourcetype.

Once I create the three eventtypes, what would my search look like?

Thx

0 Karma
1 Solution

lguinn2
Legend

I would do this: as you create each of the failed login eventtypes, give all the of them the same tag - let's call it "failed_login".

Then your search could look like this:

tag=failed_login | stats count by myuser host

I just made up the stats for fun. If you choose not to tag the eventtypes, then your search would look like this:

eventtype=fail_type1 OR eventtype=fail_type2 OR eventtype=fail_type3 | stats count by myuser host

HTH

View solution in original post

lguinn2
Legend

I would do this: as you create each of the failed login eventtypes, give all the of them the same tag - let's call it "failed_login".

Then your search could look like this:

tag=failed_login | stats count by myuser host

I just made up the stats for fun. If you choose not to tag the eventtypes, then your search would look like this:

eventtype=fail_type1 OR eventtype=fail_type2 OR eventtype=fail_type3 | stats count by myuser host

HTH

jwalzerpitt
Influencer

Right now I have one alias with a '*' for sourcetype. Do I need to create an alias per sourcetype (in my case three aliases)?

Thx

0 Karma

jwalzerpitt
Influencer

That was it - created three field aliases and was able to run the search - thx for everyone's help!

0 Karma

lguinn2
Legend

Yes, aliases are per sourcetype. Actually, you should only need 3 aliases - each alias should be specific to a sourcetype. Also, if you want others to use your aliases, tags and eventtypes, you should be sure to change the permissions to read - and make them consistent. It won't work for you to give read permissions for the tag, but no permissions for the underlying fields or eventtypes.

jwalzerpitt
Influencer

I have three aliases with the read permission set and I am now getting results. I am in the process of creating other aliases (for IP, host, etc) so I can incorporate those into the search as well.

Thx again!

0 Karma

ppablo
Retired

Hi @jwalzerpitt

Glad you found a solution through the awesome @lguinn 🙂 Please don't forget to resolve the post by clicking "Accept" directly below her answer. Cheers!

0 Karma

jwalzerpitt
Influencer

She is awesome! Answer accepted

0 Karma

jwalzerpitt
Influencer

Thx for the reply.

I am running the search, 'tag::failure | stats count by myuser', but I am getting no results found as opposed to running 'tag::failure' and getting results.

I double checked my field alias, 'myuser', and it reads as follows:

TargetUserName = myuser
User = myuser
sremote_UserID = myuser

I did restart Splunk to ensure the changes took place.

0 Karma

lguinn2
Legend

When you run the search (without the stats), do you see the 4 fields in the "fields sidebar?"
All of them should appear. You might have to click the "all fields" link to see them.

0 Karma

gcusello
SplunkTrust
SplunkTrust

Once created the Three eventypes For failed login, assign to each one the tag=LOGFAIL.
Now you can search For tag=LOGFAIL and take the Three eventypes events.
Bye.
Giuseppe

0 Karma

jwalzerpitt
Influencer

I created the three event types and assigned tag=failure to each. I then run a search 'tag::failure'.

How do I then search by the field alias 'myuser' instead of searching on the three individual user fields?

Thx

0 Karma
Get Updates on the Splunk Community!

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...

SignalFlow: What? Why? How?

What is SignalFlow? Splunk Observability Cloud’s analytics engine, SignalFlow, opens up a world of in-depth ...

Federated Search for Amazon S3 | Key Use Cases to Streamline Compliance Workflows

Modern business operations are supported by data compliance. As regulations evolve, organizations must ...