I'm attempting to extract statistics of user logins from a custom log format and create a bar chart. I have users A, B, C and D. The log format looks something like this.
1.Account Name: A
Account Domain: some_domain
**Account Name: B
Account Domain: some_domain
2.Account Name: A
Account Domain: some_domain
**Account Name: C
Account Domain: some_domain
Basically I have user A appearing in every search result. As a result, my chart shows A as having the highest number of logins and because it occurs for every user, I cannot use NOT and remove that username from the search. It would show me 0 results.
Can someone tell me a way I can remove just user A from my chart? I want to see logins from every other user except A in my chart. I'm new to Splunk and I have no idea on how to do this.
I am having this same problem. Maybe I can add some clarity to the specific problem with a specific example. This is my search (minus the host data):
source="WinEventLog:Security" Keywords="Audit Failure" Failure_Reason="Unknown user name or bad password." | top Account_Name
Looking in the events it returns, about 70% of the events have this:
Account Name: -
As well as:
Account Name: actual user account name
So when it outputs as a bar chart, the account name '-' shows as the largest, because it totals up every result that has that name in it, but it then also lists out the actual user account names. So the data is all listed twice in effect. But doing =! to the '-' user name ends up excluding the bulk of my other results, the info I am trying to track.
Obviously this isn't the end of the world, I could just ignore that, but it does skew my bar charts a bit.
can you create an eval statement maybe?
...|eval serverName=if(AccountName="A","A",null())|eval accountName=if(isnull(serverName),AccountName,null())|...
and then do your stats command by the new accountName?
The entry | search NOT username="A" works like a charm, though | search username!="A" works just as well
It sounds like you need to configure line breaking for those events and set it to linebreak before account name. Configure this in props.conf
Is there no other way to do this? I'm a new user to Splunk and I don't know how to do this. I guess I'll read up first.
You may be able to use a field search:
NOT username="A" ...
Sometimes it's necessarily to filter out a single user at the very end of a search, in which case you can tack a "search" command on to the end, like so:
... | search NOT username="A"
If this doesn't work, please edit your question and provide the search you are starting with.
Exactly what I was trying to explain, I cannot use the NOT operator because then it would not even show me logins of B, C and D. Every record of the log has 2 values for Account Name. One is the server's name and the other is the user's name. I don't want to see the server's name in the chart. In the example I have provided, A is the server name and B, C, D are the user names.