Splunk Search

Why isn't version 6 picking this up as a field? User:

cdupuis123
Path Finder

2013-10-25 10:49:33,Major,REMOVED,Allowed, - Caller MD5=61b1dfb9703d0d678e108e0156fcbb69,Create Process,Begin: 2013-10-25 10:49:19,End: 2013-10-25 10:49:19,Rule: This one is a splat | Watch these Executables,1568,C:/Program Files/VMware/VMware Tools/vmtoolsd.exe,0,No Module Name,C:/Windows/System32/net.exe,User: SYSTEM,Domain: WORKGROUP,Action Type:

My version 5 enviroment grabs it? Version 6 the fields are way less. Still a N00b on both releases, but trying to transform out data to the nullqueue is hard enough without the added complexity of not having a field... HELP!!!!

Tags (1)
0 Karma
1 Solution

yannK
Splunk Employee
Splunk Employee

remark : you cannot use fields with nullQueue filtering, because the fields are extracted as search time, not at index time, You need a proper regex to define a filter for nullQueue.

at search time try :

* | rex "User: (?<User>\w+)" | table User _raw

at index time for the props for nullQueue try a simple

REGEX = User: SYSTEM

or a conditional

REGEX = User: (SYSTEM|MYOTHERUSER|MYOTHERUSERAGAIN)

View solution in original post

0 Karma

yannK
Splunk Employee
Splunk Employee

if your question was answered, do not forget to mark the "accept check box". It will help the other users.

0 Karma

cdupuis123
Path Finder

Thanks yannK it made sense to me and fixed what I was looking for and trying to do! thanks

0 Karma

yannK
Splunk Employee
Splunk Employee

remark : you cannot use fields with nullQueue filtering, because the fields are extracted as search time, not at index time, You need a proper regex to define a filter for nullQueue.

at search time try :

* | rex "User: (?<User>\w+)" | table User _raw

at index time for the props for nullQueue try a simple

REGEX = User: SYSTEM

or a conditional

REGEX = User: (SYSTEM|MYOTHERUSER|MYOTHERUSERAGAIN)

0 Karma
Get Updates on the Splunk Community!

2024 Splunk Career Impact Survey | Earn a $20 gift card for participating!

Hear ye, hear ye! The time has come again for Splunk's annual Career Impact Survey!  We need your help by ...

Optimize Cloud Monitoring

  TECH TALKS Optimize Cloud Monitoring Tuesday, August 13, 2024  |  11:00AM–12:00PM PST   Register to ...

What's New in Splunk Cloud Platform 9.2.2403?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.2.2403! Analysts can ...