Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Why isn't version 6 picking this up as a field? User:

cdupuis123
Path Finder
‎10-25-2013 08:05 AM

2013-10-25 10:49:33,Major,REMOVED,Allowed, - Caller MD5=61b1dfb9703d0d678e108e0156fcbb69,Create Process,Begin: 2013-10-25 10:49:19,End: 2013-10-25 10:49:19,Rule: This one is a splat | Watch these Executables,1568,C:/Program Files/VMware/VMware Tools/vmtoolsd.exe,0,No Module Name,C:/Windows/System32/net.exe,User: SYSTEM,Domain: WORKGROUP,Action Type:

My version 5 enviroment grabs it? Version 6 the fields are way less. Still a N00b on both releases, but trying to transform out data to the nullqueue is hard enough without the added complexity of not having a field... HELP!!!!

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

yannK
Splunk Employee
Splunk Employee
‎10-25-2013 08:25 AM

remark : you cannot use fields with nullQueue filtering, because the fields are extracted as search time, not at index time, You need a proper regex to define a filter for nullQueue.

at search time try :

* | rex "User: (?<User>\w+)" | table User _raw

at index time for the props for nullQueue try a simple

REGEX = User: SYSTEM

or a conditional

REGEX = User: (SYSTEM|MYOTHERUSER|MYOTHERUSERAGAIN)

View solution in original post

0 Karma
Reply
Solved! Jump to solution

yannK
Splunk Employee
Splunk Employee
‎10-25-2013 10:21 AM

if your question was answered, do not forget to mark the "accept check box". It will help the other users.

0 Karma
Reply
Solved! Jump to solution

cdupuis123
Path Finder
‎10-25-2013 10:08 AM

Thanks yannK it made sense to me and fixed what I was looking for and trying to do! thanks

0 Karma
Reply
Solved! Jump to solution
Solution

yannK
Splunk Employee
Splunk Employee
‎10-25-2013 08:25 AM

remark : you cannot use fields with nullQueue filtering, because the fields are extracted as search time, not at index time, You need a proper regex to define a filter for nullQueue.

at search time try :

* | rex "User: (?<User>\w+)" | table User _raw

at index time for the props for nullQueue try a simple

REGEX = User: SYSTEM

or a conditional

REGEX = User: (SYSTEM|MYOTHERUSER|MYOTHERUSERAGAIN)

0 Karma
Reply
Get Updates on the Splunk Community!

Dashboards: Hiding charts while search is being executed and other uses for tokens

There are a couple of features of SimpleXML / Classic dashboards that can be used to enhance the user ...

Splunk Observability Cloud's AI Assistant in Action Series: Explaining Metrics and ...

This is the fourth post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how ...

Brains, Bytes, and Boston: Learn from the Best at .conf25

When you think of Boston, you might picture colonial charm, world-class universities, or even the crack of a ...