Getting Data In

Normalize user fields across multiple sourcetypes

jwalzerpitt
Influencer

I have three different sourcetypes in which each user field is labeled differently: TargetUserName, User, sremote_userid

I would like to normalize the user fields so I could search just one field (myuser) for failed logins across all three sourcetypes.

I created a field alias called 'myuser' that contains the three field aliases (TargetUserName=myuser, User=TargetUserName, sremote_userid=myuser). I assume I know have to create three different eventtypes, one failed login eventtype for each sourcetype.

Once I create the three eventtypes, what would my search look like?

Thx

0 Karma
1 Solution

lguinn2
Legend

I would do this: as you create each of the failed login eventtypes, give all the of them the same tag - let's call it "failed_login".

Then your search could look like this:

tag=failed_login | stats count by myuser host

I just made up the stats for fun. If you choose not to tag the eventtypes, then your search would look like this:

eventtype=fail_type1 OR eventtype=fail_type2 OR eventtype=fail_type3 | stats count by myuser host

HTH

View solution in original post

lguinn2
Legend

I would do this: as you create each of the failed login eventtypes, give all the of them the same tag - let's call it "failed_login".

Then your search could look like this:

tag=failed_login | stats count by myuser host

I just made up the stats for fun. If you choose not to tag the eventtypes, then your search would look like this:

eventtype=fail_type1 OR eventtype=fail_type2 OR eventtype=fail_type3 | stats count by myuser host

HTH

jwalzerpitt
Influencer

Right now I have one alias with a '*' for sourcetype. Do I need to create an alias per sourcetype (in my case three aliases)?

Thx

0 Karma

jwalzerpitt
Influencer

That was it - created three field aliases and was able to run the search - thx for everyone's help!

0 Karma

lguinn2
Legend

Yes, aliases are per sourcetype. Actually, you should only need 3 aliases - each alias should be specific to a sourcetype. Also, if you want others to use your aliases, tags and eventtypes, you should be sure to change the permissions to read - and make them consistent. It won't work for you to give read permissions for the tag, but no permissions for the underlying fields or eventtypes.

jwalzerpitt
Influencer

I have three aliases with the read permission set and I am now getting results. I am in the process of creating other aliases (for IP, host, etc) so I can incorporate those into the search as well.

Thx again!

0 Karma

ppablo
Retired

Hi @jwalzerpitt

Glad you found a solution through the awesome @lguinn 🙂 Please don't forget to resolve the post by clicking "Accept" directly below her answer. Cheers!

0 Karma

jwalzerpitt
Influencer

She is awesome! Answer accepted

0 Karma

jwalzerpitt
Influencer

Thx for the reply.

I am running the search, 'tag::failure | stats count by myuser', but I am getting no results found as opposed to running 'tag::failure' and getting results.

I double checked my field alias, 'myuser', and it reads as follows:

TargetUserName = myuser
User = myuser
sremote_UserID = myuser

I did restart Splunk to ensure the changes took place.

0 Karma

lguinn2
Legend

When you run the search (without the stats), do you see the 4 fields in the "fields sidebar?"
All of them should appear. You might have to click the "all fields" link to see them.

0 Karma

gcusello
SplunkTrust
SplunkTrust

Once created the Three eventypes For failed login, assign to each one the tag=LOGFAIL.
Now you can search For tag=LOGFAIL and take the Three eventypes events.
Bye.
Giuseppe

0 Karma

jwalzerpitt
Influencer

I created the three event types and assigned tag=failure to each. I then run a search 'tag::failure'.

How do I then search by the field alias 'myuser' instead of searching on the three individual user fields?

Thx

0 Karma
Get Updates on the Splunk Community!

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...