I'm trying to pull the "User Name: Schrodinger" field rather than the "User=SYSTEM" Field. My search query only pulls back the "user" field when entered, is there any way to pull the "User Name:" field?
Here is my search string (Note When I pull "User" all I get is "SYSTEM", when I tried "User Name" I get nothing:
EventCode="529" OR EventCode="530" OR EventCode="531" OR EventCode="532" OR EventCode="533" OR EventCode="534" OR EventCode="535" OR EventCode="536" OR EventCode="537" OR EventCode="539" OR EventCode="681" OR EventCode="4625" | stats count by User
Below is the audit event I'm searching:
09/18/2012 11:43:45 AM
LogName=Security
SourceName=Security
EventCode=529
EventType=16
Type=Failure Audit
ComputerName=CANDYLAND
User=SYSTEM
Sid=S-1-5-18
SidType=1
Category=2
CategoryString=Logon/Logoff
RecordNumber=279177
Message=Logon Failure:
Reason: Unknown user name or bad password
User Name: Schrodinger
Domain: Milkyway
Logon Type: 10
Logon Process: User32
Authentication Package: Negotiate
Workstation Name: CANDYLAND
Caller User Name: CANDYLAND$
Caller Domain: Milkyway
Caller Logon ID: (0x0,0x3E7)
Caller Process ID: 3204
Transited Services: -
Source Network Address: 134.67.225.17
Source Port: 2653
how is the field extracted in your splunk? because splunk doesnot like fields name with space but it should have clean the space with an underscore? ie User_Name...
If not you might want to extract it with something like that :
... | rex field=_raw "(?msi)User\s+Name:\s+(?P<username>\S+) | stats count by username
how is the field extracted in your splunk? because splunk doesnot like fields name with space but it should have clean the space with an underscore? ie User_Name...
If not you might want to extract it with something like that :
... | rex field=_raw "(?msi)User\s+Name:\s+(?P<username>\S+) | stats count by username