Splunk Search
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

2 values for "User" field being shown.

maiks1
Engager
‎05-06-2024 03:23 AM

Hi all!

I'm currently trying to create a RDP session analysis dashboard.  I'm using sysmon eventlogs, specifically Event-ID "3" to create a SPL query that shows traffic on port 3389 with a few filters. I only want to see usernames that are existing in the windows domain.

 

index=windows source=sysmon 
DestinationPort=3389 
EventCode=3 
Image!="C:\Program Files\RANDOMAPP*" 
| rename User as SourceUser    
| search SourceUser!="NT AUTHORITY\NETWORK SERVICE"  
SourceUser!="NT-AUTHORITY\Network Service"  
SourceUser!="NT-AUTHORITY\SYSTEM" 
| stats  count by SourceUser Image SourceHostname DestinationHostname SourceIp DestinationIp DestinationPort
| sort  - count

 

Since last week, the "Image" value has unexpectedly started appearing in the "User" field in all events.
Why is this happening and how can I prevent it from appearing in the "User" field?
  obfuscated png splunk.png

When I add the following query, no events are displayed. Could it be that the "User" field is getting mixed up with the "Image" field?

 

User!=Windows\*
User!="Program Files*"

 

Also, if you check the events, you can see 2 events being displayed for “User”obfuscated png splunk2.png

Sorry for the bazilion questions, but I'm starting to get a bit frustrated here 😅

Thanks in advance for your help and have a great day!

 

 

 

Labels (2)
Labels
0 Karma
Reply

efavreau
Motivator
‎05-06-2024 05:33 AM

@maiks1When I saw another fields values show up in a given field, a sysadmin had changed the order of the logs. This can show up as a new order to the same number of fields, introduction of a new field in the log, removal of a field, which changes the order of later fields in the log, etc.. Sourcetype configuration wasn't updated, so it keeps parsing per its definition. Lesson: walk through the whole thing slowly, starting at the beginning. Once you identified what changed, then you can work on why it changed.

###

If this reply helps you, an upvote would be appreciated.
0 Karma
Reply
Get Updates on the Splunk Community!

Fueling your curiosity with new Splunk ILT and eLearning courses

At Splunk Education, we’re driven by curiosity—both ours and yours! That’s why we’re committed to delivering ...

Splunk AI Assistant for SPL 1.1.0 | Now Personalized to Your Environment for Greater ...

Splunk AI Assistant for SPL has transformed how users interact with Splunk, making it easier than ever to ...

Unleash Unified Security and Observability with Splunk Cloud Platform

     Now Available on Microsoft AzureOn Demand Now Step boldly into the AI revolution with enhanced security ...
Top