Hello,
I have the following search:
index=security_wineventlog EventCode=4625 | table _time, Workstation_Name, Source_Network_Address, host, Account_Name | eval Account_Name=if(Account_Name="*$",(mvindex(Account_Name,1)), Account_Name) | eval Account_Name=if(Account_Name="-",(mvindex(Account_Name,1)), Account_Name) | eval Account_Name=if(Account_Name="ADFS",(mvindex(Account_Name,1)), Account_Name) | eval Time=strftime(_time,"%Y/%m/%d %T")
Now using the eval command, I am finding any results with "-", "ADFS", or "randomcomputername$" and instead choosing the next result for account_name. However when running the search, I am still seeing account_names with $ at the end of the account name.
Here are the results I get when I do a search:
How can I move past account names with $ in them per my search above to populate the next result for account_name? I searched google and Splunk answers and was not able to find an answer. Thank you.
What about using mvfilter to get rid of the ones you don't want?
| eval Account_Name = mvfilter(Account_Name!="-" AND Account_Name!="ADFS" AND NOT match(Account_Name,"\$$"))
That worked wonderfully and is exactly what I needed, thank you Maciep!
What about using mvfilter to get rid of the ones you don't want?
| eval Account_Name = mvfilter(Account_Name!="-" AND Account_Name!="ADFS" AND NOT match(Account_Name,"\$$"))