Solved: Search a Splunk Enterpirse Security DataModel - pr...

jacqu3sy · ‎06-14-2017

Im trying to limit my search down to just certain accounts from the the authentication Data Model but wildcards dont seem to limit the results as I'd normally expect when search a specific index instead of the DM.

I've tried a few options which I'd have hoped would work, but it just returns ALL account names;

| datamodel Authentication Authentication search | search Account_Name="abc*"

| datamodel Authentication Authentication search | search Account_Name="abc"

| datamodel Authentication Authentication search | search Account_Name=abc*

| datamodel Authentication Authentication search | where like(Account_Name,"abc%")

Is there a particular way you should use a wildcard within a DM search?

Thanks.

jacqu3sy · ‎06-14-2017

Worked it out. User error. The original soloution worked fine. But when throwing a 'stats values(Account_Name)' on the end it through up other results.

View solution in original post

jacqu3sy · ‎06-14-2017

Worked it out. User error. The original soloution worked fine. But when throwing a 'stats values(Account_Name)' on the end it through up other results.

Search a Splunk Enterpirse Security DataModel - problem with Wildcards

Splunk Enterprise Security 8.x: The Essential Upgrade for Threat Detection, ...

Splunk Observability for AI

Splunk Observability as Code: From Zero to Dashboard

Are you a member of the Splunk Community?

Search a Splunk Enterpirse Security DataModel - problem with Wildcards

Splunk Enterprise Security 8.x: The Essential Upgrade for Threat Detection, ...

Splunk Observability for AI

Splunk Observability as Code: From Zero to Dashboard