Splunk Search
Highlighted

Removing certain results from reports

Path Finder

I'm attempting to extract statistics of user logins from a custom log format and create a bar chart. I have users A, B, C and D. The log format looks something like this.




1.Account Name: A

Account Domain: somedomain

<some
text>

*
Account Name: B

Account Domain: somedomain

<some
text>





2.Account Name: A

Account Domain: somedomain

<some
text>

**Account Name: C


Account Domain: somedomain

<some
text>*




Basically I have user A appearing in every search result. As a result, my chart shows A as having the highest number of logins and because it occurs for every user, I cannot use NOT and remove that username from the search. It would show me 0 results.

Can someone tell me a way I can remove just user A from my chart? I want to see logins from every other user except A in my chart. I'm new to Splunk and I have no idea on how to do this.

Tags (1)
Highlighted

Re: Removing certain results from reports

Super Champion

You may be able to use a field search:

NOT username="A" ...

Sometimes it's necessarily to filter out a single user at the very end of a search, in which case you can tack a "search" command on to the end, like so:

... | search NOT username="A"

If this doesn't work, please edit your question and provide the search you are starting with.

Highlighted

Re: Removing certain results from reports

Path Finder

Exactly what I was trying to explain, I cannot use the NOT operator because then it would not even show me logins of B, C and D. Every record of the log has 2 values for Account Name. One is the server's name and the other is the user's name. I don't want to see the server's name in the chart. In the example I have provided, A is the server name and B, C, D are the user names.

0 Karma
Highlighted

Re: Removing certain results from reports

Builder

It sounds like you need to configure line breaking for those events and set it to linebreak before account name. Configure this in props.conf

0 Karma
Highlighted

Re: Removing certain results from reports

Path Finder

Is there no other way to do this? I'm a new user to Splunk and I don't know how to do this. I guess I'll read up first.

0 Karma
Highlighted

Re: Removing certain results from reports

Engager

The entry | search NOT username="A" works like a charm, though | search username!="A" works just as well

0 Karma
Highlighted

Re: Removing certain results from reports

Super Champion

can you create an eval statement maybe?

...|eval serverName=if(AccountName="A","A",null())|eval accountName=if(isnull(serverName),AccountName,null())|...

and then do your stats command by the new accountName?

0 Karma