Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Table creation without Unknown Users

antlefebvre
Communicator
‎08-01-2013 12:20 PM

This is my scenario

When I so a search on my event log there are 2 events for the same user. I have extracted the field as UserName1.

The UserName1 field data looks like this

r3452

(Unknown User) Bart

r2456

Bart

r3722

So Bart shows up in 2 events. One as Bart and another as (Unknown User) Bart.

I have tried several queries to create a table that removes both these entries but have been unsuccessful. Any help is appreciated.

Edit: Extraction for question below.

EXTRACT-UserName1 = (?i)<user_name>(?P<UserName1>[^<]+)

In the props.conf file. Extracting the data isn't so much my problem as they are extracted correctly. I just want to remove the unknown user as it is tagged as such. Then the subsequent failed login without the unknown user designation.

Tags (3)
0 Karma
Reply

jtrucks
Splunk Employee
Splunk Employee
‎08-02-2013 10:24 AM

Might I suggest either experimenting with your field extraction to not have these entries OR just append:

NOT "*Unknown User*"

Does that fix it?

--
Jesse Trucks
Minister of Magic
0 Karma
Reply

antlefebvre
Communicator
‎08-02-2013 10:30 AM

Unfortunately this won't work. I have a dash that shows failed logins because the user is an unknown user. I have another dash that shows legitimate user failed logins. I want them to be mutually exclusive. That is I do not want to see the unknown users failures in my legitimate user dash. But the data source gives me 2 events for the unknown users. One with the (Unknown user) prefix on the username and the other with just the username. If I do a NOT command I will only filter out the (Unknown user) event. Leaving me with the other event from that user I want to remove.

0 Karma
Reply

lukejadamec
Super Champion
‎08-01-2013 12:30 PM

Can you post your method for extracting the user?

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk App for Anomaly Detection End of Life Announcement

Q: What is happening to the Splunk App for Anomaly Detection?A: Splunk is officially announcing the ...

Aligning Observability Costs with Business Value: Practical Strategies

 Join us for an engaging Tech Talk on Aligning Observability Costs with Business Value: Practical ...

Mastering Data Pipelines: Unlocking Value with Splunk

 In today's AI-driven world, organizations must balance the challenges of managing the explosion of data with ...
Top