Splunk Search

Removing certain results from reports

Sheela
Path Finder

I'm attempting to extract statistics of user logins from a custom log format and create a bar chart. I have users A, B, C and D. The log format looks something like this.




1.Account Name: A

Account Domain: some_domain



**Account Name: B


Account Domain: some_domain







2.Account Name: A

Account Domain: some_domain



**Account Name: C


Account Domain: some_domain





Basically I have user A appearing in every search result. As a result, my chart shows A as having the highest number of logins and because it occurs for every user, I cannot use NOT and remove that username from the search. It would show me 0 results.

Can someone tell me a way I can remove just user A from my chart? I want to see logins from every other user except A in my chart. I'm new to Splunk and I have no idea on how to do this.

Tags (1)

bossmanbob
Engager

I am having this same problem. Maybe I can add some clarity to the specific problem with a specific example. This is my search (minus the host data): 

source="WinEventLog:Security" Keywords="Audit Failure" Failure_Reason="Unknown user name or bad password." | top Account_Name

Looking in the events it returns, about 70% of the events have this:

Account Name: -

As well as:

Account Name: actual user account name

So when it outputs as a bar chart, the account name '-' shows as the largest, because it totals up every result that has that name in it, but it then also lists out the actual user account names. So the data is all listed twice in effect. But doing =! to the '-' user name ends up excluding the bulk of my other results, the info I am trying to track.

Obviously this isn't the end of the world, I could just ignore that, but it does skew my bar charts a bit.

0 Karma

cmerriman
Super Champion

can you create an eval statement maybe?

...|eval serverName=if(AccountName="A","A",null())|eval accountName=if(isnull(serverName),AccountName,null())|...

and then do your stats command by the new accountName?

0 Karma

dspolan
Engager

The entry | search NOT username="A" works like a charm, though | search username!="A" works just as well

0 Karma

RicoSuave
Builder

It sounds like you need to configure line breaking for those events and set it to linebreak before account name. Configure this in props.conf

0 Karma

Sheela
Path Finder

Is there no other way to do this? I'm a new user to Splunk and I don't know how to do this. I guess I'll read up first.

0 Karma

Lowell
Super Champion

You may be able to use a field search:

NOT username="A" ...

Sometimes it's necessarily to filter out a single user at the very end of a search, in which case you can tack a "search" command on to the end, like so:

... | search NOT username="A"

If this doesn't work, please edit your question and provide the search you are starting with.

Sheela
Path Finder

Exactly what I was trying to explain, I cannot use the NOT operator because then it would not even show me logins of B, C and D. Every record of the log has 2 values for Account Name. One is the server's name and the other is the user's name. I don't want to see the server's name in the chart. In the example I have provided, A is the server name and B, C, D are the user names.

Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...