- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: How to edit my search to filter out events whe...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello,
I am trying to filter out events when the source username and destination username are the same, but it is not working when I use the where and NOT field1= field2 function. Is it because I have spaces in the field names? I tried to rename them as different fields and tried the where clause, but it still didn't work. Any help is greatly appreciated.
Here is the search:
| NOT ("Source User Name"="ANONYMOUS LOGON" OR "Source User Name"=*$) Name!="A user account was changed." | stats dc(Name) as UniqueActionCount, values(Name) as UniqueAction by "Source User Name" | where NOT "Source User Name"="Destination User Name"
Thank you.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try this:
... | search NOT ("Source User Name"="ANONYMOUS LOGON" OR "Source User Name"=*$) Name!="A user account was changed." | stats dc(Name) as UniqueActionCount, values(Destination User Name) AS "Destination User Name" values(Name) as UniqueAction by "Source User Name" | where NOT $Source User Name$=$Destination User Name$
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try this:
... | search NOT ("Source User Name"="ANONYMOUS LOGON" OR "Source User Name"=*$) Name!="A user account was changed." | stats dc(Name) as UniqueActionCount, values(Destination User Name) AS "Destination User Name" values(Name) as UniqueAction by "Source User Name" | where NOT $Source User Name$=$Destination User Name$
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you, this helped!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try putting single quotes around your fields. Like below. But what is *$"?
| where NOT ('Source User Name'='ANONYMOUS LOGON' OR 'Source User Name'="*$") AND Name!="A user account was changed." | stats dc(Name) as UniqueActionCount, values(Name) as UniqueAction by "Source User Name" | where NOT 'Source User Name'='Destination User Name'
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
username=*$ was to filter all usernames that end with $, which are system authentications, and when not an actual user is present.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Issue 1: After your stats there is no field called "Destination User Name", so even if the where syntax was correct, it will not give you any result
Issue 2. In where clause, fields names should be enclosed in single quotes if they contain spaces/dots etc.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you, this helped 🙂
.conf24 | Registration Open!
ICYMI - Check out the latest releases of Splunk Edge Processor
Introducing the 2024 SplunkTrust!
