Splunk Search

Multivalued fields

ESIMatNeforce
Path Finder

I have a problem concerming multivalued fields.

i wanted to create a dashboard which shows failed logins per user with the following query
bad password timeformat="%Y-%m-%dT%H:%M:%S" earliest="2013-11-06T13:45:00" | timechart span=1d count by Account_Name

But in the Splunk events there are 2 different values per event for Account_Name:

Account_Name:

"-"
"Administrator"

Therefore I get in my Dashboard all Accounts listet, but I also get an Account with the name "-"
(It is also the total of all events because every username also has the "-" value in it)

How to fix this issue?

Best regards

Tags (2)
0 Karma
1 Solution

lukejadamec
Super Champion

Use this to select the second Account_Name. Change the 1 to a 0 to grab the first.

 eval Account_Name=mvindex(Account_Name,1)

Updated to correct the field name.

The complete search would be like this:

timeformat="%Y-%m-%dT%H:%M:%S" earliest="2013-11-06T13:45:00" | eval Account_Name=mvindex(Account_Name,1)| timechart span=1d count by Account_Name

View solution in original post

ESIMatNeforce
Path Finder

Message=An account failed to log on.

Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0

Logon Type: 3

Account For Which Logon Failed:
Security ID: NULL SID
Account Name: Andi
Account Domain: SPLUNKTEST

Detailed Authentication Information:
Logon Process: NtLmSsp
Authentication Package: NTLM
Transited Services: -
Package Name (NTLM only): -
Key Length: 0

The result is
- Andi
8 13.11.13 00:00:00,000 1 1

How to define the search query that i don't get the results for Accountname "-"?

0 Karma

somesoni2
Revered Legend

Could you provide some sample data before and after execution of timechart command?

0 Karma

lukejadamec
Super Champion

Use this to select the second Account_Name. Change the 1 to a 0 to grab the first.

 eval Account_Name=mvindex(Account_Name,1)

Updated to correct the field name.

The complete search would be like this:

timeformat="%Y-%m-%dT%H:%M:%S" earliest="2013-11-06T13:45:00" | eval Account_Name=mvindex(Account_Name,1)| timechart span=1d count by Account_Name
Get Updates on the Splunk Community!

Announcing General Availability of Splunk Incident Intelligence!

Digital transformation is real! Across industries, companies big and small are going through rapid digital ...

Splunk Training for All: Meet Aspiring Cybersecurity Analyst, Marc Alicea

Splunk Education believes in the value of training and certification in today’s rapidly-changing data-driven ...

The Splunk Success Framework: Your Guide to Successful Splunk Implementations

Splunk Lantern is a customer success center that provides advice from Splunk experts on valuable data ...