Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Splunk Search
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How to edit my search to filter out events where t...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
caliburn7
Engager
05-26-2016
05:49 PM
Hello,
I am trying to filter out events when the source username and destination username are the same, but it is not working when I use the where and NOT field1= field2 function. Is it because I have spaces in the field names? I tried to rename them as different fields and tried the where clause, but it still didn't work. Any help is greatly appreciated.
Here is the search:
| NOT ("Source User Name"="ANONYMOUS LOGON" OR "Source User Name"=*$) Name!="A user account was changed." | stats dc(Name) as UniqueActionCount, values(Name) as UniqueAction by "Source User Name" | where NOT "Source User Name"="Destination User Name"
Thank you.
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
woodcock
Esteemed Legend
05-26-2016
07:01 PM
Try this:
... | search NOT ("Source User Name"="ANONYMOUS LOGON" OR "Source User Name"=*$) Name!="A user account was changed." | stats dc(Name) as UniqueActionCount, values(Destination User Name) AS "Destination User Name" values(Name) as UniqueAction by "Source User Name" | where NOT $Source User Name$=$Destination User Name$
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
woodcock
Esteemed Legend
05-26-2016
07:01 PM
Try this:
... | search NOT ("Source User Name"="ANONYMOUS LOGON" OR "Source User Name"=*$) Name!="A user account was changed." | stats dc(Name) as UniqueActionCount, values(Destination User Name) AS "Destination User Name" values(Name) as UniqueAction by "Source User Name" | where NOT $Source User Name$=$Destination User Name$
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
caliburn7
Engager
05-26-2016
07:57 PM
Thank you, this helped!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
sundareshr
Legend
05-26-2016
06:35 PM
Try putting single quotes around your fields. Like below. But what is *$"?
| where NOT ('Source User Name'='ANONYMOUS LOGON' OR 'Source User Name'="*$") AND Name!="A user account was changed." | stats dc(Name) as UniqueActionCount, values(Name) as UniqueAction by "Source User Name" | where NOT 'Source User Name'='Destination User Name'
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
caliburn7
Engager
05-26-2016
07:59 PM
username=*$ was to filter all usernames that end with $, which are system authentications, and when not an actual user is present.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
somesoni2
Revered Legend
05-26-2016
06:44 PM
Issue 1: After your stats there is no field called "Destination User Name", so even if the where syntax was correct, it will not give you any result
Issue 2. In where clause, fields names should be enclosed in single quotes if they contain spaces/dots etc.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
caliburn7
Engager
05-26-2016
07:56 PM
Thank you, this helped 🙂
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Get Updates on the Splunk Community!
What Is Splunk? Here’s What You Can Do with Splunk
Hey Splunk Community, we know you know Splunk. You likely leverage its unparalleled ability to ingest, index, ...
Level Up Your .conf25: Splunk Arcade Comes to Boston
With .conf25 right around the corner in Boston, there’s a lot to look forward to — inspiring keynotes, ...
Manual Instrumentation with Splunk Observability Cloud: How to Instrument Frontend ...
Although it might seem daunting, as we’ve seen in this series, manual instrumentation can be straightforward ...
