Junk characters showing when I use stats with list...

asing13 · ‎07-17-2021

Dear Community Members ,

In splunk cloud instance :
I am trying to get VPN login and logout for users in a single table sorted by Username and Time.

The query is as below:

eventtype="my_eventtype_1" eventtype="my_eventtype_2" (((EventIDValue=gateway-auth OR EventIDValue=clientlessvpn-login) EventStatus=success SourceUserName!="pre-logon") OR Stage=logout) | stats list(EventIDValue) as Activity,list(_time) as Time by SourceUserName |rename SourceUserName as username|convert ctime(Time)|eval username=upper(username)|sort username,-Time

The search is for a period of 24 hours.

I am getting the data but along with it, I see junk characters (if I may call them so).

Kindly help to understand how to resolve the same.

I also tried adding limit=0 along with stats command but no use.

Below is the screenshot of the fields. I have not shown the username field for security reasons.

I have used a similar query for another VPN and it works fine there and I don't see these characters !

Regards,

Abhishek Singh

asing13 · ‎07-17-2021

eventtype="my_eventtype_1" eventtype="my_eventtype_2" (((EventIDValue=gateway-auth OR EventIDValue=clientlessvpn-login) EventStatus=success SourceUserName!="pre-logon") OR Stage=logout) | stats list(EventIDValue) as Activity,list(_time) as Time by SourceUserName |convert ctime(Time)|sort SourceUserName,-Time

asing13 · ‎07-17-2021

More examples of the issue.

Junk characters showing when I use stats with list command to get the logins and logout of a VPN

fields

other

search job inspector

stats

Introducing the Splunk Community Dashboard Challenge!

Get the T-shirt to Prove You Survived Splunk University Bootcamp

Wondering How to Build Resiliency in the Cloud?