Solved: Windows Event Log 4625 - Eval Account_Name Search ...

zward · ‎11-14-2017

Hello,

I have the following search:

index=security_wineventlog EventCode=4625 | table _time, Workstation_Name, Source_Network_Address, host, Account_Name | eval Account_Name=if(Account_Name="*$",(mvindex(Account_Name,1)), Account_Name) | eval Account_Name=if(Account_Name="-",(mvindex(Account_Name,1)), Account_Name) | eval Account_Name=if(Account_Name="ADFS",(mvindex(Account_Name,1)), Account_Name) | eval Time=strftime(_time,"%Y/%m/%d %T")

Now using the eval command, I am finding any results with "-", "ADFS", or "randomcomputername$" and instead choosing the next result for account_name. However when running the search, I am still seeing account_names with $ at the end of the account name.

Here are the results I get when I do a search:

How can I move past account names with $ in them per my search above to populate the next result for account_name? I searched google and Splunk answers and was not able to find an answer. Thank you.

maciep · ‎11-14-2017

What about using mvfilter to get rid of the ones you don't want?

|  eval Account_Name = mvfilter(Account_Name!="-" AND Account_Name!="ADFS" AND NOT match(Account_Name,"\$$"))

View solution in original post

zward · ‎11-14-2017

That worked wonderfully and is exactly what I needed, thank you Maciep!

maciep · ‎11-14-2017

What about using mvfilter to get rid of the ones you don't want?

|  eval Account_Name = mvfilter(Account_Name!="-" AND Account_Name!="ADFS" AND NOT match(Account_Name,"\$$"))

Windows Event Log 4625 - Eval Account_Name Search Issue

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

Splunk Community Badges!

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

Join the Conversation