Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Allowing More Fields to be Shown in a Search

itsmevic
Communicator
‎03-03-2020 01:46 PM

Quick background:
I'm looking for SSO logins by users that have authenticated via NTLM.

Issue:
I copied a snippet of text directly from the SSO logs ("NTLMSSP principal: DomainName= UserName") that I thought would be apparent in each event where users are using SSO but authenticating with NTLM. There are 100 fields total that are associated with the SSO index alone (i.e., typing in index=sso and hitting enter); however, when using the string of text indicated above as a search parameter it reduces the available fields from 100 to 23. Since I cannot see the entire list of fields it's causing issues because I need to be able to see the "carrierCode" field, which isn't available when using the "NTLMSSP principal: DomainName= UserName" text string in my search.

Is there a way to incorporate another search within my existing search [and subsearch] that would allow all 100 fields to be viewable in the SSO index so that I could select the carrierCode field and capture its numbers? I hope this makes sense. Any help is greatly appreciated.

index="sso" sourcetype="ping*" UserName="" Workstation="" "NTLMSSP principal: DomainName= UserName"
| fields index,sourcetype,UserName,Workstation
| join UserName
[search index=msad sourcetype=ActiveDirectory sAMAccountName="*"
| stats count by title,description,department,sAMAccountName,
| rename sAMAccountName AS UserName
| table description,department,UserName,title]
| stats count by Workstation,UserName,title,department,description
| sort -count

Tags (1)
0 Karma
Reply

codebuilder
Influencer
‎03-16-2020 04:43 PM

The issue is with your search. The syntax you referenced:

| fields index,sourcetype,UserName,Workstation

This is telling Splunk to return ONLY those fields. Any subsequent commands, functions, etc. that reference any other field will not be valid. Later in your search, you are trying to "table" fields that you have excluded previously.

Move your "fields" to the end of your search, and use it to either include or exclude data that you do/do not want returned to the search head. I cannot test your search obviously, but would guess that if you delete the entire line "| fields index,sourcetype,UserName,Workstation" it will work for you.

----
An upvote would be appreciated and Accept Solution if it helps!
0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...