Maybe there is a much easier way to do that I'm just missing.....but here goes. I have a search that I am using to alert when there are multiple failed logons for a specific IP:
sourcetype=mysource "AUTHENTICATION_FAILED" | rex field=_raw "WHO: \[username: (?<user>.\w+)" | rex field=_raw "CLIENT IP ADDRESS: (?<SourceIP>.\d+\.\d+\.\d+\.\d+)" |eval userID=UPPER(user) | stats dc(userID) as uniqueUser by SourceIP | where uniqueUser >3
This works all well and good in an alert and notifies when the situation happened. What I want to do is return the raw events so we can grab some relevant details to include in the alert email (e.g. the offending sourceIP of the failed logons,what account(s) they used, how many times they attempted it, success/failure,etc), so tried using a subsearch to do this.
sourcetype=mysource [search sourcetype=mysource "AUTHENTICATION_FAILED" | rex field=_raw "WHO: \[username: (?<user>.\w+)" | rex field=_raw "CLIENT IP ADDRESS: (?<SourceIP>.\d+\.\d+\.\d+\.\d+)" |eval userID=UPPER(user) | stats dc(userID) as uniqueUser by SourceIP | where uniqueUser >3 | return $SourceIP ]
This works fine if the subsearch returns a value (meaning there are >X (in this example 3) failed logons, but otherwise returns ALL events (due to the subsearch not returning any rows and therefore not returning a SourceIP that can be used for filtering down the main search results). I saw a few other examples of how to return a default when a subsearch returns zero rows, but can't seem to get it to work properly within my search, so any help or guidance is appreciated.
... View more
Well, not sure what fixed it, but I am no longer getting this error. After updating the Splunk ODBC client on my desktop I restarted my computer, and started fresh with a new Tableau report connecting to the Splunk saved report, and am no longer getting the "wrong number of bindings for number of input columns" error. I wish I could concretely point to what I may have done to resolve....most likely guessing the client update, but can't confirm for sure.
... View more
I'm having trouble using Tableau to extract data for a Tableau report. I can connect to the saved-search fine by connecting live, but when I try to generate an extract (for Tableau report performance reasons) it gives the error
"internal error starextracttuplesource has wrong number of bindings for number of input columns".
When I look at the fields available in the Tableau DataSource page, it shows the 3 explicit fields I defined in my report search, but also an additional field not present in the search ([MySplunkSavedReport].[_pre_msg]). This is odd for me, as I am able to generate an extract from another saved report, which also includes similar fields ( logonuser (text), usertype (text), and _time).
Is this related to the known issue identified as DVPL-2957? Any recommendations as to how I can resolve? A somwhat cleaned-up search is below if it is helpful or needed to give context (I can provide more details/clarification if needed).
Thanks in advance to any splunk gurus who can help!
host=server* source="WinEventLog:Microsoft-Windows-TerminalServices-SessionBroker/Operational" 801 | rex field=Message "user DOMAINName\\\(?<logonUser>.\w+)" |eval ADAccount=ltrim(logonUser,"DOMAINName\\") | ldapfilter domain=DOMAINName search="(sAMAccountName=$ADAccount$)" attrs="memberOf" | eval userType=case((mvfind(memberOf,"CN\=GRP_Name1") >= 0 ), "Group1", (mvfind(memberOf,"CN\=GRP_Name2") >= 0 ), "Group2", (mvfind(memberOf,"CN\=GRP_Name3") >= 0 ), "Group3") | fields logonUser,userType,_time
... View more