Splunk Search

Junk characters showing when I use stats with list command to get the logins and logout of a VPN

asing13
Path Finder

Dear Community Members ,

In splunk cloud instance :
I am trying to get VPN login and logout for users in a single table sorted by Username and Time.

The query is as below:

eventtype="my_eventtype_1" eventtype="my_eventtype_2" (((EventIDValue=gateway-auth OR EventIDValue=clientlessvpn-login) EventStatus=success SourceUserName!="pre-logon") OR Stage=logout) | stats list(EventIDValue) as Activity,list(_time) as Time by SourceUserName |rename SourceUserName as username|convert ctime(Time)|eval username=upper(username)|sort username,-Time

The search is for a period of 24 hours.

I am getting the data but along with it, I see junk characters (if I may call them so).

Kindly help to understand how to resolve the same.

I also tried adding limit=0 along with stats command but no use.

Below is the screenshot of the fields. I have not shown the username field for security reasons.

asing13_0-1626539775826.png


I have used a similar query for another VPN and it works fine there and I don't see these characters !

Regards,

Abhishek Singh

Labels (4)
0 Karma

asing13
Path Finder

eventtype="my_eventtype_1" eventtype="my_eventtype_2" (((EventIDValue=gateway-auth OR EventIDValue=clientlessvpn-login) EventStatus=success SourceUserName!="pre-logon") OR Stage=logout) | stats list(EventIDValue) as Activity,list(_time) as Time by SourceUserName |convert ctime(Time)|sort SourceUserName,-Time

 

0 Karma

asing13
Path Finder

More examples of the issue.

asing13_0-1626540121293.pngasing13_1-1626540141096.png

asing13_2-1626540156088.png

 

0 Karma
.conf21 Now Fully Virtual!
Register for FREE Today!

We've made .conf21 totally virtual and totally FREE! Our completely online experience will run from 10/19 through 10/20 with some additional events, too!