Solved: excluding a search result

moayadalghamdi · ‎02-03-2021

Hello Splunkers !

i have a problem here, that we're running an infra structure change and for that im getting duplicated logs

im running a search that show bytes count for users on proxy, but because of the double logs i get two usernames instead of on so for that the users column is empty

look at the image below please:

we can see the username is duplicated, its the same user, but the old user has "d1$" more than the name.

please help me to eliminate the old user name and only fit the one in the search.

ive tried this: user!=*d1$* but the table still misses the users in columns

manjunathmeti · ‎02-03-2021

hi @moayadalghamdi,

Use replace to replace "d1$" in user value.

index=Proxy user!="-" action="allowed" user=* | eval user=replace(user, "d1\$", "") | stats sum(bytes) as GB by src_ip, user | eval GB=GB/1024/1024/1024

If this reply helps you, an upvote/like would be appreciated.

View solution in original post

manjunathmeti · ‎02-03-2021

hi @moayadalghamdi,

Use replace to replace "d1$" in user value.

index=Proxy user!="-" action="allowed" user=* | eval user=replace(user, "d1\$", "") | stats sum(bytes) as GB by src_ip, user | eval GB=GB/1024/1024/1024

If this reply helps you, an upvote/like would be appreciated.

moayadalghamdi · ‎02-03-2021

Awesome !, Thanks !

excluding a search result

fields

metadata

subsearch

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?