Getting Data In

Windows Logs "User" versus "User Name"

hagjos43
Contributor

I'm trying to pull the "User Name: Schrodinger" field rather than the "User=SYSTEM" Field. My search query only pulls back the "user" field when entered, is there any way to pull the "User Name:" field?

Here is my search string (Note When I pull "User" all I get is "SYSTEM", when I tried "User Name" I get nothing:

EventCode="529" OR EventCode="530" OR EventCode="531" OR EventCode="532" OR EventCode="533" OR EventCode="534" OR EventCode="535" OR EventCode="536" OR EventCode="537" OR EventCode="539" OR EventCode="681" OR EventCode="4625" | stats count by User

Below is the audit event I'm searching:

09/18/2012 11:43:45 AM
LogName=Security
SourceName=Security
EventCode=529
EventType=16
Type=Failure Audit
ComputerName=CANDYLAND
User=SYSTEM
Sid=S-1-5-18
SidType=1
Category=2
CategoryString=Logon/Logoff
RecordNumber=279177
Message=Logon Failure:

    Reason:     Unknown user name or bad password

    User Name:  Schrodinger

    Domain:     Milkyway

    Logon Type: 10

    Logon Process:  User32  

    Authentication Package: Negotiate

    Workstation Name:   CANDYLAND

    Caller User Name:   CANDYLAND$

    Caller Domain:  Milkyway

    Caller Logon ID:    (0x0,0x3E7)

    Caller Process ID:  3204

    Transited Services: -

    Source Network Address: 134.67.225.17

    Source Port:    2653
Tags (1)
0 Karma
1 Solution

MarioM
Motivator

how is the field extracted in your splunk? because splunk doesnot like fields name with space but it should have clean the space with an underscore? ie User_Name...

If not you might want to extract it with something like that :

... | rex field=_raw "(?msi)User\s+Name:\s+(?P<username>\S+) | stats count by username

View solution in original post

MarioM
Motivator

how is the field extracted in your splunk? because splunk doesnot like fields name with space but it should have clean the space with an underscore? ie User_Name...

If not you might want to extract it with something like that :

... | rex field=_raw "(?msi)User\s+Name:\s+(?P<username>\S+) | stats count by username
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...