Solved: Normalize user fields across multiple sourcetypes

jwalzerpitt · ‎10-13-2016

I have three different sourcetypes in which each user field is labeled differently: TargetUserName, User, sremote_userid

I would like to normalize the user fields so I could search just one field (myuser) for failed logins across all three sourcetypes.

I created a field alias called 'myuser' that contains the three field aliases (TargetUserName=myuser, User=TargetUserName, sremote_userid=myuser). I assume I know have to create three different eventtypes, one failed login eventtype for each sourcetype.

Once I create the three eventtypes, what would my search look like?

Thx

lguinn2 · ‎10-13-2016

I would do this: as you create each of the failed login eventtypes, give all the of them the same tag - let's call it "failed_login".

Then your search could look like this:

tag=failed_login | stats count by myuser host

I just made up the stats for fun. If you choose not to tag the eventtypes, then your search would look like this:

eventtype=fail_type1 OR eventtype=fail_type2 OR eventtype=fail_type3 | stats count by myuser host

HTH

View solution in original post

lguinn2 · ‎10-13-2016

I would do this: as you create each of the failed login eventtypes, give all the of them the same tag - let's call it "failed_login".

Then your search could look like this:

tag=failed_login | stats count by myuser host

I just made up the stats for fun. If you choose not to tag the eventtypes, then your search would look like this:

eventtype=fail_type1 OR eventtype=fail_type2 OR eventtype=fail_type3 | stats count by myuser host

HTH

jwalzerpitt · ‎10-13-2016

Right now I have one alias with a '*' for sourcetype. Do I need to create an alias per sourcetype (in my case three aliases)?

Thx

jwalzerpitt · ‎10-13-2016

That was it - created three field aliases and was able to run the search - thx for everyone's help!

lguinn2 · ‎10-13-2016

Yes, aliases are per sourcetype. Actually, you should only need 3 aliases - each alias should be specific to a sourcetype. Also, if you want others to use your aliases, tags and eventtypes, you should be sure to change the permissions to read - and make them consistent. It won't work for you to give read permissions for the tag, but no permissions for the underlying fields or eventtypes.

jwalzerpitt · ‎10-13-2016

I have three aliases with the read permission set and I am now getting results. I am in the process of creating other aliases (for IP, host, etc) so I can incorporate those into the search as well.

Thx again!

ppablo · ‎10-13-2016

Hi @jwalzerpitt

Glad you found a solution through the awesome @lguinn 🙂 Please don't forget to resolve the post by clicking "Accept" directly below her answer. Cheers!

jwalzerpitt · ‎10-13-2016

She is awesome! Answer accepted

jwalzerpitt · ‎10-13-2016

Thx for the reply.

I am running the search, 'tag::failure | stats count by myuser', but I am getting no results found as opposed to running 'tag::failure' and getting results.

I double checked my field alias, 'myuser', and it reads as follows:

TargetUserName = myuser
User = myuser
sremote_UserID = myuser

I did restart Splunk to ensure the changes took place.

lguinn2 · ‎10-13-2016

When you run the search (without the stats), do you see the 4 fields in the "fields sidebar?"
All of them should appear. You might have to click the "all fields" link to see them.

gcusello · ‎10-13-2016

Once created the Three eventypes For failed login, assign to each one the tag=LOGFAIL.
Now you can search For tag=LOGFAIL and take the Three eventypes events.
Bye.
Giuseppe

jwalzerpitt · ‎10-13-2016

I created the three event types and assigned tag=failure to each. I then run a search 'tag::failure'.

How do I then search by the field alias 'myuser' instead of searching on the three individual user fields?

Thx

Normalize user fields across multiple sourcetypes

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor