Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Why isn't version 6 picking this up as a field? User:

cdupuis123
Path Finder
‎10-25-2013 08:05 AM

2013-10-25 10:49:33,Major,REMOVED,Allowed, - Caller MD5=61b1dfb9703d0d678e108e0156fcbb69,Create Process,Begin: 2013-10-25 10:49:19,End: 2013-10-25 10:49:19,Rule: This one is a splat | Watch these Executables,1568,C:/Program Files/VMware/VMware Tools/vmtoolsd.exe,0,No Module Name,C:/Windows/System32/net.exe,User: SYSTEM,Domain: WORKGROUP,Action Type:

My version 5 enviroment grabs it? Version 6 the fields are way less. Still a N00b on both releases, but trying to transform out data to the nullqueue is hard enough without the added complexity of not having a field... HELP!!!!

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

yannK
Splunk Employee
Splunk Employee
‎10-25-2013 08:25 AM

remark : you cannot use fields with nullQueue filtering, because the fields are extracted as search time, not at index time, You need a proper regex to define a filter for nullQueue.

at search time try :

* | rex "User: (?<User>\w+)" | table User _raw

at index time for the props for nullQueue try a simple

REGEX = User: SYSTEM

or a conditional

REGEX = User: (SYSTEM|MYOTHERUSER|MYOTHERUSERAGAIN)

View solution in original post

0 Karma
Reply
Solved! Jump to solution

yannK
Splunk Employee
Splunk Employee
‎10-25-2013 10:21 AM

if your question was answered, do not forget to mark the "accept check box". It will help the other users.

0 Karma
Reply
Solved! Jump to solution

cdupuis123
Path Finder
‎10-25-2013 10:08 AM

Thanks yannK it made sense to me and fixed what I was looking for and trying to do! thanks

0 Karma
Reply
Solved! Jump to solution
Solution

yannK
Splunk Employee
Splunk Employee
‎10-25-2013 08:25 AM

remark : you cannot use fields with nullQueue filtering, because the fields are extracted as search time, not at index time, You need a proper regex to define a filter for nullQueue.

at search time try :

* | rex "User: (?<User>\w+)" | table User _raw

at index time for the props for nullQueue try a simple

REGEX = User: SYSTEM

or a conditional

REGEX = User: (SYSTEM|MYOTHERUSER|MYOTHERUSERAGAIN)

0 Karma
Reply
Get Updates on the Splunk Community!

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...