Solved: Search a Splunk Enterpirse Security DataModel - pr...

jacqu3sy · ‎06-14-2017

Im trying to limit my search down to just certain accounts from the the authentication Data Model but wildcards dont seem to limit the results as I'd normally expect when search a specific index instead of the DM.

I've tried a few options which I'd have hoped would work, but it just returns ALL account names;

| datamodel Authentication Authentication search | search Account_Name="abc*"

| datamodel Authentication Authentication search | search Account_Name="abc"

| datamodel Authentication Authentication search | search Account_Name=abc*

| datamodel Authentication Authentication search | where like(Account_Name,"abc%")

Is there a particular way you should use a wildcard within a DM search?

Thanks.

jacqu3sy · ‎06-14-2017

Worked it out. User error. The original soloution worked fine. But when throwing a 'stats values(Account_Name)' on the end it through up other results.

View solution in original post

jacqu3sy · ‎06-14-2017

Worked it out. User error. The original soloution worked fine. But when throwing a 'stats values(Account_Name)' on the end it through up other results.

Search a Splunk Enterpirse Security DataModel - problem with Wildcards

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Analytics Workspace deprecation

Splunk Developer Day Recap: Building, Publishing, and Growing on the Splunk Platform

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

Join the Conversation