Splunk Search

Why isn't version 6 picking this up as a field? User:

cdupuis123
Path Finder

2013-10-25 10:49:33,Major,REMOVED,Allowed, - Caller MD5=61b1dfb9703d0d678e108e0156fcbb69,Create Process,Begin: 2013-10-25 10:49:19,End: 2013-10-25 10:49:19,Rule: This one is a splat | Watch these Executables,1568,C:/Program Files/VMware/VMware Tools/vmtoolsd.exe,0,No Module Name,C:/Windows/System32/net.exe,User: SYSTEM,Domain: WORKGROUP,Action Type:

My version 5 enviroment grabs it? Version 6 the fields are way less. Still a N00b on both releases, but trying to transform out data to the nullqueue is hard enough without the added complexity of not having a field... HELP!!!!

Tags (1)
0 Karma
1 Solution

yannK
Splunk Employee
Splunk Employee

remark : you cannot use fields with nullQueue filtering, because the fields are extracted as search time, not at index time, You need a proper regex to define a filter for nullQueue.

at search time try :

* | rex "User: (?<User>\w+)" | table User _raw

at index time for the props for nullQueue try a simple

REGEX = User: SYSTEM

or a conditional

REGEX = User: (SYSTEM|MYOTHERUSER|MYOTHERUSERAGAIN)

View solution in original post

0 Karma

yannK
Splunk Employee
Splunk Employee

if your question was answered, do not forget to mark the "accept check box". It will help the other users.

0 Karma

cdupuis123
Path Finder

Thanks yannK it made sense to me and fixed what I was looking for and trying to do! thanks

0 Karma

yannK
Splunk Employee
Splunk Employee

remark : you cannot use fields with nullQueue filtering, because the fields are extracted as search time, not at index time, You need a proper regex to define a filter for nullQueue.

at search time try :

* | rex "User: (?<User>\w+)" | table User _raw

at index time for the props for nullQueue try a simple

REGEX = User: SYSTEM

or a conditional

REGEX = User: (SYSTEM|MYOTHERUSER|MYOTHERUSERAGAIN)

0 Karma
Get Updates on the Splunk Community!

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...