Splunk Search

Why isn't version 6 picking this up as a field? User:

cdupuis123
Path Finder

2013-10-25 10:49:33,Major,REMOVED,Allowed, - Caller MD5=61b1dfb9703d0d678e108e0156fcbb69,Create Process,Begin: 2013-10-25 10:49:19,End: 2013-10-25 10:49:19,Rule: This one is a splat | Watch these Executables,1568,C:/Program Files/VMware/VMware Tools/vmtoolsd.exe,0,No Module Name,C:/Windows/System32/net.exe,User: SYSTEM,Domain: WORKGROUP,Action Type:

My version 5 enviroment grabs it? Version 6 the fields are way less. Still a N00b on both releases, but trying to transform out data to the nullqueue is hard enough without the added complexity of not having a field... HELP!!!!

Tags (1)
0 Karma
1 Solution

yannK
Splunk Employee
Splunk Employee

remark : you cannot use fields with nullQueue filtering, because the fields are extracted as search time, not at index time, You need a proper regex to define a filter for nullQueue.

at search time try :

* | rex "User: (?<User>\w+)" | table User _raw

at index time for the props for nullQueue try a simple

REGEX = User: SYSTEM

or a conditional

REGEX = User: (SYSTEM|MYOTHERUSER|MYOTHERUSERAGAIN)

View solution in original post

0 Karma

yannK
Splunk Employee
Splunk Employee

if your question was answered, do not forget to mark the "accept check box". It will help the other users.

0 Karma

cdupuis123
Path Finder

Thanks yannK it made sense to me and fixed what I was looking for and trying to do! thanks

0 Karma

yannK
Splunk Employee
Splunk Employee

remark : you cannot use fields with nullQueue filtering, because the fields are extracted as search time, not at index time, You need a proper regex to define a filter for nullQueue.

at search time try :

* | rex "User: (?<User>\w+)" | table User _raw

at index time for the props for nullQueue try a simple

REGEX = User: SYSTEM

or a conditional

REGEX = User: (SYSTEM|MYOTHERUSER|MYOTHERUSERAGAIN)

0 Karma
Get Updates on the Splunk Community!

.conf23 Registration is Now Open!

Time to toss the .conf-etti &#x1f389; —  .conf23 registration is open!   Join us in Las Vegas July 17-20 for ...

Don't wait! Accept the Mission Possible: Splunk Adoption Challenge Now and Win ...

Attention everyone! We have exciting news to share! We are recruiting new members for the Mission Possible: ...

Unify Your SecOps with Splunk Mission Control

In today’s post, I'm excited to share some recent Splunk Mission Control innovations. With Splunk Mission ...