Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

2 values for "User" field being shown.

maiks1
Engager
‎05-06-2024 03:23 AM

Hi all!

I'm currently trying to create a RDP session analysis dashboard.  I'm using sysmon eventlogs, specifically Event-ID "3" to create a SPL query that shows traffic on port 3389 with a few filters. I only want to see usernames that are existing in the windows domain.

 

index=windows source=sysmon 
DestinationPort=3389 
EventCode=3 
Image!="C:\Program Files\RANDOMAPP*" 
| rename User as SourceUser    
| search SourceUser!="NT AUTHORITY\NETWORK SERVICE"  
SourceUser!="NT-AUTHORITY\Network Service"  
SourceUser!="NT-AUTHORITY\SYSTEM" 
| stats  count by SourceUser Image SourceHostname DestinationHostname SourceIp DestinationIp DestinationPort
| sort  - count

 

Since last week, the "Image" value has unexpectedly started appearing in the "User" field in all events.
Why is this happening and how can I prevent it from appearing in the "User" field?
  obfuscated png splunk.png

When I add the following query, no events are displayed. Could it be that the "User" field is getting mixed up with the "Image" field?

 

User!=Windows\*
User!="Program Files*"

 

Also, if you check the events, you can see 2 events being displayed for “User”obfuscated png splunk2.png

Sorry for the bazilion questions, but I'm starting to get a bit frustrated here 😅

Thanks in advance for your help and have a great day!

 

 

 

Labels (2)
Labels
0 Karma
Reply

efavreau
Motivator
‎05-06-2024 05:33 AM

@maiks1When I saw another fields values show up in a given field, a sysadmin had changed the order of the logs. This can show up as a new order to the same number of fields, introduction of a new field in the log, removal of a field, which changes the order of later fields in the log, etc.. Sourcetype configuration wasn't updated, so it keeps parsing per its definition. Lesson: walk through the whole thing slowly, starting at the beginning. Once you identified what changed, then you can work on why it changed.

###

If this reply helps you, an upvote would be appreciated.
0 Karma
Reply
Get Updates on the Splunk Community!

.conf25 Registration is OPEN!

Ready. Set. Splunk! Your favorite Splunk user event is back and better than ever. Get ready for more technical ...

Detecting Cross-Channel Fraud with Splunk

This article is the final installment in our three-part series exploring fraud detection techniques using ...

Splunk at Cisco Live 2025: Learning, Innovation, and a Little Bit of Mr. Brightside

Pack your bags (and maybe your dancing shoes)—Cisco Live is heading to San Diego, June 8–12, 2025, and Splunk ...
Top