Monitoring Splunk
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

problem with hyphen in field values

paulw10
Explorer
‎11-16-2020 11:02 AM

I am trying to create an alert to track failed login events on windows machines

e.g.

index=fa_servers EventCode=4625 OR 533 OR 529 

but I have a problem where the account name in the event has a hyphen. Splunk is treating the hyphen as another account name  

Values

Count% 
-87100%
 
OMGHCLPP-ADS002$4652.874%
 
ALPHCLPP-ADS002$4147.126%

 

you can see the 87 count is 46+41 so its treating the hyphen as its own value. 

I have been trying to use eval and mvindex to try and just extract the 2 usernames but i am not getting anywhere. can someone explain how i can properly parse these values so it only sees 2 account names 

Labels (1)
Labels
0 Karma
Reply

paulw10
Explorer
‎11-16-2020 01:05 PM

it's ok I managed to find the problem. i Was not digging far enough into the RAW events and in actual fact the events mentioned Account_name twice with the second value showing as - so Splunk naturally recorded two account names for the events. 

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎11-16-2020 11:08 AM

Can you share the query you used to get these results and some sample events?

0 Karma
Reply
Register for .conf25!
Get Updates on the Splunk Community!

The Payment Operations Wake-Up Call: Why Financial Institutions Can't Afford ...

The same scenario plays out across financial institutions daily. A payment system fails at 11:30 AM on a busy ...

Make Your Case: A Ready-to-Send Letter for Getting Approval to Attend .conf25

Hello Splunkers, Want to attend .conf25 in Boston this year but not sure how to convince your manager? We've ...

Community Spotlight: A Splunk Expert's Journey

In the world of data analytics, some journeys leave a lasting impact not only on the individual but on the ...
Top