Splunk Search
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Multivalued fields
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
ESIMatNeforce
Path Finder
11-06-2013
05:33 AM
I have a problem concerming multivalued fields.
i wanted to create a dashboard which shows failed logins per user with the following query
bad password timeformat="%Y-%m-%dT%H:%M:%S" earliest="2013-11-06T13:45:00" | timechart span=1d count by Account_Name
But in the Splunk events there are 2 different values per event for Account_Name:
Account_Name:
"-"
"Administrator"
Therefore I get in my Dashboard all Accounts listet, but I also get an Account with the name "-"
(It is also the total of all events because every username also has the "-" value in it)
How to fix this issue?
Best regards
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
lukejadamec
Super Champion
11-06-2013
05:44 AM
Use this to select the second Account_Name. Change the 1 to a 0 to grab the first.
eval Account_Name=mvindex(Account_Name,1)
Updated to correct the field name.
The complete search would be like this:
timeformat="%Y-%m-%dT%H:%M:%S" earliest="2013-11-06T13:45:00" | eval Account_Name=mvindex(Account_Name,1)| timechart span=1d count by Account_Name
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
ESIMatNeforce
Path Finder
11-13-2013
03:27 AM
Message=An account failed to log on.
Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Type: 3
Account For Which Logon Failed:
Security ID: NULL SID
Account Name: Andi
Account Domain: SPLUNKTEST
Detailed Authentication Information:
Logon Process: NtLmSsp
Authentication Package: NTLM
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
The result is
- Andi
8 13.11.13 00:00:00,000 1 1
How to define the search query that i don't get the results for Accountname "-"?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
somesoni2
Revered Legend
11-06-2013
08:39 AM
Could you provide some sample data before and after execution of timechart command?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
lukejadamec
Super Champion
11-06-2013
05:44 AM
Use this to select the second Account_Name. Change the 1 to a 0 to grab the first.
eval Account_Name=mvindex(Account_Name,1)
Updated to correct the field name.
The complete search would be like this:
timeformat="%Y-%m-%dT%H:%M:%S" earliest="2013-11-06T13:45:00" | eval Account_Name=mvindex(Account_Name,1)| timechart span=1d count by Account_Name
Get Updates on the Splunk Community!
Demo Day: Strengthen Your SOC with Splunk Enterprise Security 8.1
Today’s threat landscape is more complex than ever. Security operation centers (SOCs) are overwhelmed with ...
Dashboards: Hiding charts while search is being executed and other uses for tokens
There are a couple of features of SimpleXML / Classic dashboards that can be used to enhance the user ...
Splunk Observability Cloud's AI Assistant in Action Series: Explaining Metrics and ...
This is the fourth post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how ...
