Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Table creation without Unknown Users

antlefebvre
Communicator
‎08-01-2013 12:20 PM

This is my scenario

When I so a search on my event log there are 2 events for the same user. I have extracted the field as UserName1.

The UserName1 field data looks like this

r3452

(Unknown User) Bart

r2456

Bart

r3722

So Bart shows up in 2 events. One as Bart and another as (Unknown User) Bart.

I have tried several queries to create a table that removes both these entries but have been unsuccessful. Any help is appreciated.

Edit: Extraction for question below.

EXTRACT-UserName1 = (?i)<user_name>(?P<UserName1>[^<]+)

In the props.conf file. Extracting the data isn't so much my problem as they are extracted correctly. I just want to remove the unknown user as it is tagged as such. Then the subsequent failed login without the unknown user designation.

Tags (3)
0 Karma
Reply

jtrucks
Splunk Employee
Splunk Employee
‎08-02-2013 10:24 AM

Might I suggest either experimenting with your field extraction to not have these entries OR just append:

NOT "*Unknown User*"

Does that fix it?

--
Jesse Trucks
Minister of Magic
0 Karma
Reply

antlefebvre
Communicator
‎08-02-2013 10:30 AM

Unfortunately this won't work. I have a dash that shows failed logins because the user is an unknown user. I have another dash that shows legitimate user failed logins. I want them to be mutually exclusive. That is I do not want to see the unknown users failures in my legitimate user dash. But the data source gives me 2 events for the unknown users. One with the (Unknown user) prefix on the username and the other with just the username. If I do a NOT command I will only filter out the (Unknown user) event. Leaving me with the other event from that user I want to remove.

0 Karma
Reply

lukejadamec
Super Champion
‎08-01-2013 12:30 PM

Can you post your method for extracting the user?

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

After a whole week of being on call, you fell asleep on your keyboard, and you hit a sequence of buttons that ...