Security

How to exclude user name that start with the number "0" on a correlation search on ES?

ajromero
Path Finder

how to exclude user name that start with the number "0" on a correlation search on ES

This is the query:

| from inputlookup:access_tracker | stats min(firstTime) as firstTime,max(lastTime) as lastTime by user | where ((now()-'lastTime')/86400)>90

and I want to remove all user that start with "0"

ajromero_0-1645731852832.png

Thank you

 

Labels (2)
0 Karma
1 Solution

tofa
Explorer

Hi Araceli,

Possibly a regex exclusion:

| from inputlookup:access_tracker | stats min(firstTime) as firstTime,max(lastTime) as lastTime by user | where ((now()-'lastTime')/86400)>90
| regex user!="^0|^[0-9a-zA-Z\-]+$|<YOURPATTERNHERE>"

 Or just the opposite: if you, for example, got user with firstname.lastname format in your company:

| from inputlookup:access_tracker | stats min(firstTime) as firstTime,max(lastTime) as lastTime by user | where ((now()-'lastTime')/86400)>90
| regex user="^[A-Za-z]+\.[A-Za-z]+"​



View solution in original post

0 Karma

tshah-splunk
Splunk Employee
Splunk Employee

Hey @ajromero,

You can append  | search user != 0* to the query and exclude users starting with 0. You search query should look something like below:

| from inputlookup:access_tracker | stats min(firstTime) as firstTime,max(lastTime) as lastTime by user | where ((now()-'lastTime')/86400)>90
| search user != 0*
---
If you find the answer helpful, an upvote/karma is appreciated
0 Karma

ajromero
Path Finder

Hi tshah-splunk

I tried that and it worked, but just realized that there more users with different names like these

ajromero_0-1645806579367.png

How can I exclude that kind of users?

 

Thank you,

Araceli

 

 

 

0 Karma

tofa
Explorer

Hi Araceli,

Possibly a regex exclusion:

| from inputlookup:access_tracker | stats min(firstTime) as firstTime,max(lastTime) as lastTime by user | where ((now()-'lastTime')/86400)>90
| regex user!="^0|^[0-9a-zA-Z\-]+$|<YOURPATTERNHERE>"

 Or just the opposite: if you, for example, got user with firstname.lastname format in your company:

| from inputlookup:access_tracker | stats min(firstTime) as firstTime,max(lastTime) as lastTime by user | where ((now()-'lastTime')/86400)>90
| regex user="^[A-Za-z]+\.[A-Za-z]+"​



0 Karma

ajromero
Path Finder

Hi,

that actually worked pretty good for me. 

 

thank you

 

Get Updates on the Splunk Community!

Demo Day: Strengthen Your SOC with Splunk Enterprise Security 8.1

Today’s threat landscape is more complex than ever. Security operation centers (SOCs) are overwhelmed with ...

Dashboards: Hiding charts while search is being executed and other uses for tokens

There are a couple of features of SimpleXML / Classic dashboards that can be used to enhance the user ...

Splunk Observability Cloud's AI Assistant in Action Series: Explaining Metrics and ...

This is the fourth post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how ...