I want to be able to tag Windows system accounts, but it doesn't seem to be working correctly in 5.0 and 5.0.1, installed on Linux. I have Windows machines with Splunk forwarders on them, and they are recording events that have the following users:
I can create tags for them, but because they have spaces and dollar signs in their name, they show on the Tags Manager pages with the URI-encoded equivalent, so that spaces become %20 and the dollar sign is %24. When I try to modify the key/value pair or change its permissions from, for example, "List by field value pair" page, I get a 404 with the message:
Not tested - but Splunk usually likes field names with spaces in them to be represented within a set of quotes? "ANON LOGON".
Edit - you have seen ANONYMOUS LOGON in a log coming through? I ask because the standard convention for Windows is ANONYMOUS on its own. Logon is a separate field?
Well, that's fine, but I created the tags via the pull-down on the "user" selected field. However, I did manually add them with quotes, as you suggest, via the Tags Manager, but they don't seem to get tagged in results.
Tags names don't have quotes, nor spaces. If you really want the tag name to be similar to that it then use ANONYMOUS_LOGON as its name.Field Pair value would be user="ANONYMOUS" etc?
Try this (sorry - a bit slow tonight). Create a new tag with name of ANON_LOGON, add field value pair of user="ANONYMOUS" and another value of action="login attempt".
If that fails, try running the search manually. My test was: user="admin" action="login attempt" | top user host source sourcetype | fields - percent
But I was using "admin" because I know I have those and no anons in the indexes.
You may also need to create more values for user="anonymous" OR user="ANONYMOUS"
No, I don't want the above to be tag names, those are the usernames that Windows uses. Search on user="NETWORK SERVICE" if you have a Windows client. I have several coming from the Security Eventlog. Make user a selected field, pull down "Tag user=NETWORK SERVICE", put in "foo" for tag name, then go to Manager » Tags » List by field value pair then select user=NETWORK%20SERVICE and you will get a 404.
ja_s...I understand re security eventlog. I ran it (on 4.3) and did not have any errors. My v5 lab is down at the mo'...will try there. tag::user="foo" at search line worked as well.