Monitoring Splunk
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

problem with hyphen in field values

paulw10
Explorer
‎11-16-2020 11:02 AM

I am trying to create an alert to track failed login events on windows machines

e.g.

index=fa_servers EventCode=4625 OR 533 OR 529 

but I have a problem where the account name in the event has a hyphen. Splunk is treating the hyphen as another account name  

Values

Count% 
-87100%
 
OMGHCLPP-ADS002$4652.874%
 
ALPHCLPP-ADS002$4147.126%

 

you can see the 87 count is 46+41 so its treating the hyphen as its own value. 

I have been trying to use eval and mvindex to try and just extract the 2 usernames but i am not getting anywhere. can someone explain how i can properly parse these values so it only sees 2 account names 

Labels (1)
Labels
0 Karma
Reply

paulw10
Explorer
‎11-16-2020 01:05 PM

it's ok I managed to find the problem. i Was not digging far enough into the RAW events and in actual fact the events mentioned Account_name twice with the second value showing as - so Splunk naturally recorded two account names for the events. 

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎11-16-2020 11:08 AM

Can you share the query you used to get these results and some sample events?

0 Karma
Reply
Get Updates on the Splunk Community!

.conf25 Registration is OPEN!

Ready. Set. Splunk! Your favorite Splunk user event is back and better than ever. Get ready for more technical ...

Detecting Cross-Channel Fraud with Splunk

This article is the final installment in our three-part series exploring fraud detection techniques using ...

Splunk at Cisco Live 2025: Learning, Innovation, and a Little Bit of Mr. Brightside

Pack your bags (and maybe your dancing shoes)—Cisco Live is heading to San Diego, June 8–12, 2025, and Splunk ...
Top