Splunk Search

How to display the results matching the same fields as another fields?

ChethanNP
Explorer

Hi All,

I was working on a case where i have 2 fields extracted as "actordisplayName" & "targetUser" in the same raw log.

actordisplayName - who initiated the change, targetUser - to which user it was changed.

index=something  displayMes="User update password"
| where actordisplayName!= targetUser
| table _time user, displayMes, actordisplayName, targetUser outcome.result
Running this for 30 days

Requirement: I need to search only for users where actordisplayName & targetUser is not same.

Eg: I want only the results for my admin/someone who has done password reset for me, I don't want the results for me resetting the passwords for my account. In short i need results for where actordisplayName & targetUser is not same.

Labels (1)
Tags (2)
0 Karma
1 Solution

ChethanNP
Explorer

Fixed!

Thanks for the help

Resolution: 

 

index=something  displayMes="User update password"
| where 'actordisplayName'!='targetUser'
| table _time user, displayMes, actordisplayName, targetUser outcome.result

View solution in original post

ChethanNP
Explorer

Fixed!

Thanks for the help

Resolution: 

 

index=something  displayMes="User update password"
| where 'actordisplayName'!='targetUser'
| table _time user, displayMes, actordisplayName, targetUser outcome.result

ChethanNP
Explorer

I don't see any results when i use "| where actordisplayName!= targetUser", maybe because some or other day between 30 days the actordisplayName would be the targetUser.

0 Karma

somesoni2
Revered Legend

Your query is not doing any summarization, so it should be fetching all rows where password has changed and your query should work just fine. Just remove the where clause and see if you can manually find a record where they're different.

0 Karma

ChethanNP
Explorer

yes, I did find the results using 

index=something  displayMes="User update password"
| table _time user, displayMes, actordisplayName, targetUser outcome.result

 that is why i wanted to remove where actordisplayName!=targetUser & see but that's not working.

0 Karma

richgalloway
SplunkTrust
SplunkTrust

When you run the query without the where clause, can you see any event where actordisplayName is not the same as targetUser?

I can think of two reasons why the where clause would return no results:

1) Every user is changing his own password

2) The user names in the two fields are in different formats (with and without domain name, for instance).

Again I ask, Can you share some sanitized results?

---
If this reply helps you, an upvote would be appreciated.
0 Karma

richgalloway
SplunkTrust
SplunkTrust

How is that query failing to meet the requirements?  Can you share some sanitized results?

---
If this reply helps you, an upvote would be appreciated.
0 Karma
Get Updates on the Splunk Community!

Improve Your Security Posture

Watch NowImprove Your Security PostureCustomers are at the center of everything we do at Splunk and security ...

Maximize the Value from Microsoft Defender with Splunk

 Watch NowJoin Splunk and Sens Consulting for this Security Edition Tech TalkWho should attend:  Security ...

This Week's Community Digest - Splunk Community Happenings [6.27.22]

Get the latest news and updates from the Splunk Community here! News From Splunk Answers ✍️ Splunk Answers is ...