Splunk Search

Search for Windows logon events for usernames matching a pattern with anomalousvalue Workstation Name

ajmb
New Member

I want to start out with: EventIdentifier=4624 | AnomalousValue "Workstation Name"
...but this search returns an error. What am I doing wrong here? It's like Splunk doesn't know what the "Workstation Name" field is.

0 Karma

woodcock
Esteemed Legend

Based on your clarification, this should work:

EventIdentifier=4624 | anomalousvalue Workstation_Name
0 Karma

woodcock
Esteemed Legend

Did this work?

0 Karma

woodcock
Esteemed Legend

Are you sure that it is a field? If it is, this will work, if not you need to make the field exist:

EventIdentifier=4624 | anomalousvalue $Workstation Name$
0 Karma

ajmb
New Member

It returned the field as Workstation_Name, but I've tried:

EventIdentifier=4624 | ...

  • AnomalousValue 'Workstation_Name'
  • AnomalousValue "Workstation_Name"
  • AnomalousValue $Workstation_Name"

every single one of these returns "Error in 'anomalousvalue' command: found no qualifying results. Please verify that the field names are correct"

0 Karma

ajmb
New Member

Well that doesn't work so I guess it isn't a 'field'. This is annoying and confusing.

The event data has a section like this...

Network Information:
Workstation Name: TestClientPc
Source Network Address: 192.168.1.247
Source Port: 52404

So what the heck do I do here? Is this something I have to use eval() for?

0 Karma

woodcock
Esteemed Legend

Well obviously EventIdentifier is a field so some fields are being created. What do you get from this:

 EventIdentifier=4624 | stats first(*)

This will show you what fields do exist. Perhaps this field is being extracted as Name instead of Workstation Name.

0 Karma
Take the 2021 Splunk Career Survey

Help us learn about how Splunk has
impacted your career by taking the 2021 Splunk Career Survey.

Earn $50 in Amazon cash!