Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

2 values for "User" field being shown.

maiks1
Engager
‎05-06-2024 03:23 AM

Hi all!

I'm currently trying to create a RDP session analysis dashboard.  I'm using sysmon eventlogs, specifically Event-ID "3" to create a SPL query that shows traffic on port 3389 with a few filters. I only want to see usernames that are existing in the windows domain.

 

index=windows source=sysmon 
DestinationPort=3389 
EventCode=3 
Image!="C:\Program Files\RANDOMAPP*" 
| rename User as SourceUser    
| search SourceUser!="NT AUTHORITY\NETWORK SERVICE"  
SourceUser!="NT-AUTHORITY\Network Service"  
SourceUser!="NT-AUTHORITY\SYSTEM" 
| stats  count by SourceUser Image SourceHostname DestinationHostname SourceIp DestinationIp DestinationPort
| sort  - count

 

Since last week, the "Image" value has unexpectedly started appearing in the "User" field in all events.
Why is this happening and how can I prevent it from appearing in the "User" field?
  obfuscated png splunk.png

When I add the following query, no events are displayed. Could it be that the "User" field is getting mixed up with the "Image" field?

 

User!=Windows\*
User!="Program Files*"

 

Also, if you check the events, you can see 2 events being displayed for “User”obfuscated png splunk2.png

Sorry for the bazilion questions, but I'm starting to get a bit frustrated here 😅

Thanks in advance for your help and have a great day!

 

 

 

Labels (2)
Labels
0 Karma
Reply

efavreau
Motivator
‎05-06-2024 05:33 AM

@maiks1When I saw another fields values show up in a given field, a sysadmin had changed the order of the logs. This can show up as a new order to the same number of fields, introduction of a new field in the log, removal of a field, which changes the order of later fields in the log, etc.. Sourcetype configuration wasn't updated, so it keeps parsing per its definition. Lesson: walk through the whole thing slowly, starting at the beginning. Once you identified what changed, then you can work on why it changed.

###

If this reply helps you, an upvote would be appreciated.
0 Karma
Reply
Get Updates on the Splunk Community!

Data Management Digest – December 2025

Welcome to the December edition of Data Management Digest! As we continue our journey of data innovation, the ...

Index This | What is broken 80% of the time by February?

December 2025 Edition   Hayyy Splunk Education Enthusiasts and the Eternally Curious!    We’re back with this ...

Unlock Faster Time-to-Value on Edge and Ingest Processor with New SPL2 Pipeline ...

Hello Splunk Community,   We're thrilled to share an exciting update that will help you manage your data more ...