Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Search for Windows logon events for usernames matching a pattern with anomalousvalue Workstation Name

ajmb
New Member
‎07-01-2015 12:12 PM

I want to start out with: EventIdentifier=4624 | AnomalousValue "Workstation Name"
...but this search returns an error. What am I doing wrong here? It's like Splunk doesn't know what the "Workstation Name" field is.

0 Karma
Reply

woodcock
Esteemed Legend
‎07-01-2015 02:29 PM

Based on your clarification, this should work:

EventIdentifier=4624 | anomalousvalue Workstation_Name
0 Karma
Reply

woodcock
Esteemed Legend
‎07-17-2015 09:44 PM

Did this work?

0 Karma
Reply

woodcock
Esteemed Legend
‎07-01-2015 12:24 PM

Are you sure that it is a field? If it is, this will work, if not you need to make the field exist:

EventIdentifier=4624 | anomalousvalue $Workstation Name$
0 Karma
Reply

ajmb
New Member
‎07-01-2015 02:18 PM

It returned the field as Workstation_Name, but I've tried:

EventIdentifier=4624 | ...

  • AnomalousValue 'Workstation_Name'
  • AnomalousValue "Workstation_Name"
  • AnomalousValue $Workstation_Name"

every single one of these returns "Error in 'anomalousvalue' command: found no qualifying results. Please verify that the field names are correct"

0 Karma
Reply

ajmb
New Member
‎07-01-2015 12:44 PM

Well that doesn't work so I guess it isn't a 'field'. This is annoying and confusing.

The event data has a section like this...

Network Information:
Workstation Name: TestClientPc
Source Network Address: 192.168.1.247
Source Port: 52404

So what the heck do I do here? Is this something I have to use eval() for?

0 Karma
Reply

woodcock
Esteemed Legend
‎07-01-2015 01:44 PM

Well obviously EventIdentifier is a field so some fields are being created. What do you get from this:

 EventIdentifier=4624 | stats first(*)

This will show you what fields do exist. Perhaps this field is being extracted as Name instead of Workstation Name.

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Register for .conf25!
Get Updates on the Splunk Community!

.conf25 Global Broadcast: Don’t Miss a Moment

Hello Splunkers, .conf25 is only a click away.  Not able to make it to .conf25 in person? No worries, you can ...

Observe and Secure All Apps with Splunk

 Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

What's New in Splunk Observability - August 2025

What's New We are excited to announce the latest enhancements to Splunk Observability Cloud as well as what is ...