Hello,
I'm trying to get a clearer picture of data from our Okta application however two pieces of information have the exact same field. Is there a way to change this?
So the example here is we are searching for all users and we want just a list of their names. The search query below is what we use to find it, however it drags a brower name too.
source=okta:event actors{}.displayName=*
exampleUser
exampleBrowser
When that query is returned, it provides us with the name of the user which is what we want but also displays the browser they used.
Just to be clear, the browser information isn't tied to the one field and just appears at the end. There are just two identical fields called actors{}.displayName, one displays a browser the other a name.
Hi stegray93,
I believe that you could use expression regular
for extract this information. Do you can send the some samples of data for help you ?
Hi below is the sample event. Parts in bold are the parts I am referring too.
{ [-]
action: { [+]
}
actors: [ [-]
{ [-]
displayName: Example
id: 00u10rdjtruAa5Qbf0x7
login: example@flexerasoftware.com
objectType: User
}
{ [-]
displayName: CHROME
id: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.103 Safari/537.36
ipAddress: 50.233.14.1
objectType: Client
}
]
eventId: tevs4oEpigaRlS8BgQGODiMig1468252444000
published: 2016-07-11T15:54:04.000Z
requestId: V4PBG-P59xfVa7HBAKck6wAABUU
sessionId: 1018VGvLCuXQ6CcHoC9rltHmg
targets: [ [+]
]
Both fields is inside of a same node of json, or not? The content of first field displayName have a fixed size? Because if the first field have the fixed size (7 bytes), could you use this regex: (displayName:\s[A-Z]{6})
Try this
source=okta:event actors{}.displayName=* | eval "actors{}.displayName"=mvindex('actors{}.displayName',0)
Updated Answer based on sample event.
Give this a try
source=okta:event actors{}.displayName=* actors{}.objectType=User
That didn't work 😞 still showing the browser information. We originally tried a NOT command with an AND that didn't seem to like it either.
Any pattern in the event which shows the Browser names OR any pattern in the value using which those events could be filtered out? Probably one sample event of user and browser would help understand the problem better.
Please see below a standard sample event. Let me know if you need more.
{ [-]
action: { [+]
}
actors: [ [-]
{ [-]
displayName: Example
id: 00u10rdjtruAa5Qbf0x7
login: example@flexerasoftware.com
objectType: User
}
{ [-]
displayName: CHROME
id: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.103 Safari/537.36
ipAddress: 50.233.14.1
objectType: Client
}
]
eventId: tevs4oEpigaRlS8BgQGODiMig1468252444000
published: 2016-07-11T15:54:04.000Z
requestId: V4PBG-P59xfVa7HBAKck6wAABUU
sessionId: 1018VGvLCuXQ6CcHoC9rltHmg
targets: [ [+]
]
Try the updated answers.
Still didn't work. When I stat them up Chrome, IE11 and FireFox are still the top 3. It's strange as it generates it as if they were their own user, then when applying the NOT to the search string for CHROME then it removes anyone who's logged in using CHROME.
Would you be able to provide some screenshot on how the events look like upon runnign the updated query?
Might sound like a silly question but how do I upload an image into here?
You can upload the image to a site like https://postimage.org/ and post the URL here.