Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Table creation without Unknown Users

antlefebvre
Communicator
‎08-01-2013 12:20 PM

This is my scenario

When I so a search on my event log there are 2 events for the same user. I have extracted the field as UserName1.

The UserName1 field data looks like this

r3452

(Unknown User) Bart

r2456

Bart

r3722

So Bart shows up in 2 events. One as Bart and another as (Unknown User) Bart.

I have tried several queries to create a table that removes both these entries but have been unsuccessful. Any help is appreciated.

Edit: Extraction for question below.

EXTRACT-UserName1 = (?i)<user_name>(?P<UserName1>[^<]+)

In the props.conf file. Extracting the data isn't so much my problem as they are extracted correctly. I just want to remove the unknown user as it is tagged as such. Then the subsequent failed login without the unknown user designation.

Tags (3)
0 Karma
Reply

jtrucks
Splunk Employee
Splunk Employee
‎08-02-2013 10:24 AM

Might I suggest either experimenting with your field extraction to not have these entries OR just append:

NOT "*Unknown User*"

Does that fix it?

--
Jesse Trucks
Minister of Magic
0 Karma
Reply

antlefebvre
Communicator
‎08-02-2013 10:30 AM

Unfortunately this won't work. I have a dash that shows failed logins because the user is an unknown user. I have another dash that shows legitimate user failed logins. I want them to be mutually exclusive. That is I do not want to see the unknown users failures in my legitimate user dash. But the data source gives me 2 events for the unknown users. One with the (Unknown user) prefix on the username and the other with just the username. If I do a NOT command I will only filter out the (Unknown user) event. Leaving me with the other event from that user I want to remove.

0 Karma
Reply

lukejadamec
Super Champion
‎08-01-2013 12:30 PM

Can you post your method for extracting the user?

0 Karma
Reply
Get Updates on the Splunk Community!

Observe and Secure All Apps with Splunk

  Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

Splunk Decoded: Business Transactions vs Business IQ

It’s the morning of Black Friday, and your e-commerce site is handling 10x normal traffic. Orders are flowing, ...

Fastest way to demo Observability

I’ve been having a lot of fun learning about Kubernetes and Observability. I set myself an interesting ...