Alerting

Why is there a null field appended to a username in my Alerts.

splunktrainingu
Communicator

This is my search query for my alert.

index=test EventCode=4625 | eval Account_Name=mvindex(Account_Name, -1) | search NOT Account_Name="BENQ$" NOT Account_Name="-" | stats count by Account_Name
| where count >= 2

So the alert will trigger if a person fails to login 2 times or more. The PDF shows a the username (johnsmithnull) but when opening it in the table it shows johnsmith and the count of how many times. Is Johnsmithnull a title the gets appended by splunk?

Labels (1)
0 Karma
1 Solution

splunktrainingu
Communicator

As richgalloway stated: "Splunk's PDF generator has its quirks. Consider putting the results inline instead of as an attachment (or both)."
he recommended using the inline result

View solution in original post

0 Karma

splunktrainingu
Communicator

As richgalloway stated: "Splunk's PDF generator has its quirks. Consider putting the results inline instead of as an attachment (or both)."
he recommended using the inline result

0 Karma

richgalloway
SplunkTrust
SplunkTrust

Splunk's PDF generator has its quirks. Consider putting the results inline instead of as an attachment (or both).

---
If this reply helps you, Karma would be appreciated.

splunktrainingu
Communicator

I am going to run some tests then. But what is different about inline vs PDF?

0 Karma

richgalloway
SplunkTrust
SplunkTrust

Putting the results inline means recipients see the data in the body of the email, unadulterated by the PDf generator.

---
If this reply helps you, Karma would be appreciated.
0 Karma

splunktrainingu
Communicator

Thank you!

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...