Getting Data In

Normalize user fields across multiple sourcetypes

jwalzerpitt
Motivator

I have three different sourcetypes in which each user field is labeled differently: TargetUserName, User, sremote_userid

I would like to normalize the user fields so I could search just one field (myuser) for failed logins across all three sourcetypes.

I created a field alias called 'myuser' that contains the three field aliases (TargetUserName=myuser, User=TargetUserName, sremote_userid=myuser). I assume I know have to create three different eventtypes, one failed login eventtype for each sourcetype.

Once I create the three eventtypes, what would my search look like?

Thx

0 Karma
1 Solution

lguinn2
Legend

I would do this: as you create each of the failed login eventtypes, give all the of them the same tag - let's call it "failed_login".

Then your search could look like this:

tag=failed_login | stats count by myuser host

I just made up the stats for fun. If you choose not to tag the eventtypes, then your search would look like this:

eventtype=fail_type1 OR eventtype=fail_type2 OR eventtype=fail_type3 | stats count by myuser host

HTH

View solution in original post

lguinn2
Legend

I would do this: as you create each of the failed login eventtypes, give all the of them the same tag - let's call it "failed_login".

Then your search could look like this:

tag=failed_login | stats count by myuser host

I just made up the stats for fun. If you choose not to tag the eventtypes, then your search would look like this:

eventtype=fail_type1 OR eventtype=fail_type2 OR eventtype=fail_type3 | stats count by myuser host

HTH

jwalzerpitt
Motivator

Right now I have one alias with a '*' for sourcetype. Do I need to create an alias per sourcetype (in my case three aliases)?

Thx

0 Karma

jwalzerpitt
Motivator

That was it - created three field aliases and was able to run the search - thx for everyone's help!

0 Karma

lguinn2
Legend

Yes, aliases are per sourcetype. Actually, you should only need 3 aliases - each alias should be specific to a sourcetype. Also, if you want others to use your aliases, tags and eventtypes, you should be sure to change the permissions to read - and make them consistent. It won't work for you to give read permissions for the tag, but no permissions for the underlying fields or eventtypes.

jwalzerpitt
Motivator

I have three aliases with the read permission set and I am now getting results. I am in the process of creating other aliases (for IP, host, etc) so I can incorporate those into the search as well.

Thx again!

0 Karma

ppablo
Community Manager
Community Manager

Hi @jwalzerpitt

Glad you found a solution through the awesome @lguinn 🙂 Please don't forget to resolve the post by clicking "Accept" directly below her answer. Cheers!

0 Karma

jwalzerpitt
Motivator

She is awesome! Answer accepted

0 Karma

jwalzerpitt
Motivator

Thx for the reply.

I am running the search, 'tag::failure | stats count by myuser', but I am getting no results found as opposed to running 'tag::failure' and getting results.

I double checked my field alias, 'myuser', and it reads as follows:

TargetUserName = myuser
User = myuser
sremote_UserID = myuser

I did restart Splunk to ensure the changes took place.

0 Karma

lguinn2
Legend

When you run the search (without the stats), do you see the 4 fields in the "fields sidebar?"
All of them should appear. You might have to click the "all fields" link to see them.

0 Karma

gcusello
Legend

Once created the Three eventypes For failed login, assign to each one the tag=LOGFAIL.
Now you can search For tag=LOGFAIL and take the Three eventypes events.
Bye.
Giuseppe

0 Karma

jwalzerpitt
Motivator

I created the three event types and assigned tag=failure to each. I then run a search 'tag::failure'.

How do I then search by the field alias 'myuser' instead of searching on the three individual user fields?

Thx

0 Karma
Get Updates on the Splunk Community!

Improve Your Security Posture

Watch NowImprove Your Security PostureCustomers are at the center of everything we do at Splunk and security ...

Maximize the Value from Microsoft Defender with Splunk

 Watch NowJoin Splunk and Sens Consulting for this Security Edition Tech TalkWho should attend:  Security ...

This Week's Community Digest - Splunk Community Happenings [6.27.22]

Get the latest news and updates from the Splunk Community here! News From Splunk Answers ✍️ Splunk Answers is ...