Solved: Need help excluding results which have field value...

fdevera · ‎07-01-2020

Need help excluding results which have field values that show up in another field.

Search:
| tstats `summariesonly` values(Authentication.user_priority) as user_priority earliest(_time) as earliest latest(_time) as latest count from datamodel=Authentication where Authentication.signature_id=4624 Authentication.Authentication_Package=NTLM Authentication.Logon_Type=3 Authentication.user!="ANONYMOUS LOGON" Authentication.Logon_Process="NtLmSsP" NOT Authentication.type=Information NOT Authentication.Key_Length=0 by Authentication.dest Authentication.user Authentication.dest_nt_domain
| `drop_dm_object_name("Authentication")`

Results:
dest field with fully qualified hostnames (computername.xx.mycompany.com) - can also be computername.yy.mycompany.com or computername.zz.mycompany.com.

des_nt_domain field should only have domains but also has computernames (computername) not fully qualified

How do I exclude results which have dest_nt_domain values that match dest values?

Example:
dest=lab001.xx.mycompany.com
dest_nt_domain=lab001

Any dest field value that starts with dest_nt_domain value, I would like it excluded from resulsts. The above example should be excluded.

to4kawa · ‎07-02-2020

| makeresults 
| eval _raw="dest,dest_nt_domain
lab001.xx.mycompany.com,xx.mycompany.com
lab002.xx.mycompany.com,lab002
lab003.yy.mycompany.com,yy.mycompany.com
lab004.yy.mycompany.com,lab004
lab005.zz.mycompany.com,zz.mycompany.com
lab006.zz.mycompany.com,lab006"
| multikv forceheader=1
| where !match(dest,"^".dest_nt_domain)

@fdevera @Gunnar Let's make this easy.

View solution in original post

to4kawa · ‎07-02-2020

| makeresults 
| eval _raw="dest,dest_nt_domain
lab001.xx.mycompany.com,xx.mycompany.com
lab002.xx.mycompany.com,lab002
lab003.yy.mycompany.com,yy.mycompany.com
lab004.yy.mycompany.com,lab004
lab005.zz.mycompany.com,zz.mycompany.com
lab006.zz.mycompany.com,lab006"
| multikv forceheader=1
| where !match(dest,"^".dest_nt_domain)

@fdevera @Gunnar Let's make this easy.

fdevera · ‎07-02-2020

Sorry I didn't explain clearly.

dest field has fully qualified computernames and while many follow naming convention, the majority do not and we're talking about 30,000+ systems.

dest_nt_domain field should only contain actual domains or bogus domains but in this case includes computernames which I suspect are local logins. e.g. COMPUTERNAME\username.

I need something that notices the unqualified part of the fully qualified computername in the dest field, matches it up with the same computername showing up in the dest_nt_domain field and based on that match, excludes the result.

Gunnar · ‎07-02-2020

Maybe something like this:

| makeresults 
| eval _raw="dest,dest_nt_domain
lab001.xx.mycompany.com,xx.mycompany.com
lab002.xx.mycompany.com,lab002
lab003.yy.mycompany.com,yy.mycompany.com
lab004.yy.mycompany.com,lab004
lab005.zz.mycompany.com,zz.mycompany.com
lab006.zz.mycompany.com,lab006"
| multikv forceheader=1
| eval dest_tmp=replace(dest, "^(.+?)\..*$", "\1")
| where dest_nt_domain!=dest_tmp
| table dest, dest_nt_domain, dest_tmp

The eval puts the hostname part from dest in a temporary variable, the where command keeps only those results where the dest_nt_domain is not equal to the hostname stored in the temporary variable.

Need help excluding results which have field values that show up in another field

correlation search

troubleshooting

Thanks for the Memories! Splunk University, .conf25, and our Community

Data Persistence in the OpenTelemetry Collector

Introducing Splunk 10.0: Smarter, Faster, and More Powerful Than Ever

Are you a member of the Splunk Community?