- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: How to display the results matching the same f...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi All,
I was working on a case where i have 2 fields extracted as "actordisplayName" & "targetUser" in the same raw log.
actordisplayName - who initiated the change, targetUser - to which user it was changed.
index=something displayMes="User update password"
| where actordisplayName!= targetUser
| table _time user, displayMes, actordisplayName, targetUser outcome.result
Running this for 30 days
Requirement: I need to search only for users where actordisplayName & targetUser is not same.
Eg: I want only the results for my admin/someone who has done password reset for me, I don't want the results for me resetting the passwords for my account. In short i need results for where actordisplayName & targetUser is not same.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Fixed!
Thanks for the help
Resolution:
index=something displayMes="User update password"
| where 'actordisplayName'!='targetUser'
| table _time user, displayMes, actordisplayName, targetUser outcome.result- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Fixed!
Thanks for the help
Resolution:
index=something displayMes="User update password"
| where 'actordisplayName'!='targetUser'
| table _time user, displayMes, actordisplayName, targetUser outcome.result- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I don't see any results when i use "| where actordisplayName!= targetUser", maybe because some or other day between 30 days the actordisplayName would be the targetUser.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Your query is not doing any summarization, so it should be fetching all rows where password has changed and your query should work just fine. Just remove the where clause and see if you can manually find a record where they're different.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
yes, I did find the results using
index=something displayMes="User update password"
| table _time user, displayMes, actordisplayName, targetUser outcome.resultthat is why i wanted to remove where actordisplayName!=targetUser & see but that's not working.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
When you run the query without the where clause, can you see any event where actordisplayName is not the same as targetUser?
I can think of two reasons why the where clause would return no results:
1) Every user is changing his own password
2) The user names in the two fields are in different formats (with and without domain name, for instance).
Again I ask, Can you share some sanitized results?
If this reply helps you, Karma would be appreciated.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How is that query failing to meet the requirements? Can you share some sanitized results?
If this reply helps you, Karma would be appreciated.
Introducing the Splunk Community Dashboard Challenge!
Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...
Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...
