Reporting

Search a Splunk Enterpirse Security DataModel - problem with Wildcards

Path Finder

Im trying to limit my search down to just certain accounts from the the authentication Data Model but wildcards dont seem to limit the results as I'd normally expect when search a specific index instead of the DM.

I've tried a few options which I'd have hoped would work, but it just returns ALL account names;

| datamodel Authentication Authentication search | search Account_Name="abc*"

| datamodel Authentication Authentication search | search Account_Name="abc"

| datamodel Authentication Authentication search | search Account_Name=abc*

| datamodel Authentication Authentication search | where like(Account_Name,"abc%")

Is there a particular way you should use a wildcard within a DM search?

Thanks.

1 Solution

Path Finder

Worked it out. User error. The original soloution worked fine. But when throwing a 'stats values(Account_Name)' on the end it through up other results.

View solution in original post

0 Karma

Path Finder

Worked it out. User error. The original soloution worked fine. But when throwing a 'stats values(Account_Name)' on the end it through up other results.

View solution in original post

0 Karma