Re: problem with hyphen in field values

paulw10 · ‎11-16-2020

I am trying to create an alert to track failed login events on windows machines

e.g.

index=fa_servers EventCode=4625 OR 533 OR 529

but I have a problem where the account name in the event has a hyphen. Splunk is treating the hyphen as another account name

Values

Count	%
-	87	100%
OMGHCLPP-ADS002$	46	52.874%
ALPHCLPP-ADS002$	41	47.126%

you can see the 87 count is 46+41 so its treating the hyphen as its own value.

I have been trying to use eval and mvindex to try and just extract the 2 usernames but i am not getting anywhere. can someone explain how i can properly parse these values so it only sees 2 account names

paulw10 · ‎11-16-2020

it's ok I managed to find the problem. i Was not digging far enough into the RAW events and in actual fact the events mentioned Account_name twice with the second value showing as - so Splunk naturally recorded two account names for the events.

ITWhisperer · ‎11-16-2020

Can you share the query you used to get these results and some sample events?

problem with hyphen in field values

monitoring console

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Monitoring AI Agents with Splunk Observability Cloud

[Puzzles] Solve, Learn, Repeat: Tiling

SOK it to Me: Top 3 Benefits of Using Splunk Operator on Kubernetes that’ll Make ...

Join the Conversation