I have three different sourcetypes in which each user field is labeled differently: TargetUserName, User, sremote_userid
I would like to normalize the user fields so I could search just one field (myuser) for failed logins across all three sourcetypes.
I created a field alias called 'myuser' that contains the three field aliases (TargetUserName=myuser, User=TargetUserName, sremote_userid=myuser). I assume I know have to create three different eventtypes, one failed login eventtype for each sourcetype.
Once I create the three eventtypes, what would my search look like?
Thx
I would do this: as you create each of the failed login eventtypes, give all the of them the same tag
- let's call it "failed_login".
Then your search could look like this:
tag=failed_login | stats count by myuser host
I just made up the stats for fun. If you choose not to tag the eventtypes, then your search would look like this:
eventtype=fail_type1 OR eventtype=fail_type2 OR eventtype=fail_type3 | stats count by myuser host
HTH
I would do this: as you create each of the failed login eventtypes, give all the of them the same tag
- let's call it "failed_login".
Then your search could look like this:
tag=failed_login | stats count by myuser host
I just made up the stats for fun. If you choose not to tag the eventtypes, then your search would look like this:
eventtype=fail_type1 OR eventtype=fail_type2 OR eventtype=fail_type3 | stats count by myuser host
HTH
Right now I have one alias with a '*' for sourcetype. Do I need to create an alias per sourcetype (in my case three aliases)?
Thx
That was it - created three field aliases and was able to run the search - thx for everyone's help!
Yes, aliases are per sourcetype. Actually, you should only need 3 aliases - each alias should be specific to a sourcetype. Also, if you want others to use your aliases, tags and eventtypes, you should be sure to change the permissions to read - and make them consistent. It won't work for you to give read permissions for the tag, but no permissions for the underlying fields or eventtypes.
I have three aliases with the read permission set and I am now getting results. I am in the process of creating other aliases (for IP, host, etc) so I can incorporate those into the search as well.
Thx again!
Hi @jwalzerpitt
Glad you found a solution through the awesome @lguinn 🙂 Please don't forget to resolve the post by clicking "Accept" directly below her answer. Cheers!
She is awesome! Answer accepted
Thx for the reply.
I am running the search, 'tag::failure | stats count by myuser', but I am getting no results found as opposed to running 'tag::failure' and getting results.
I double checked my field alias, 'myuser', and it reads as follows:
TargetUserName = myuser
User = myuser
sremote_UserID = myuser
I did restart Splunk to ensure the changes took place.
When you run the search (without the stats), do you see the 4 fields in the "fields sidebar?"
All of them should appear. You might have to click the "all fields" link to see them.
Once created the Three eventypes For failed login, assign to each one the tag=LOGFAIL.
Now you can search For tag=LOGFAIL and take the Three eventypes events.
Bye.
Giuseppe
I created the three event types and assigned tag=failure to each. I then run a search 'tag::failure'.
How do I then search by the field alias 'myuser' instead of searching on the three individual user fields?
Thx