Splunk Search

Table creation without Unknown Users

antlefebvre
Communicator

This is my scenario

When I so a search on my event log there are 2 events for the same user. I have extracted the field as UserName1.

The UserName1 field data looks like this

r3452

(Unknown User) Bart

r2456

Bart

r3722

So Bart shows up in 2 events. One as Bart and another as (Unknown User) Bart.

I have tried several queries to create a table that removes both these entries but have been unsuccessful. Any help is appreciated.

Edit: Extraction for question below.

EXTRACT-UserName1 = (?i)<user_name>(?P<UserName1>[^<]+) 

In the props.conf file. Extracting the data isn't so much my problem as they are extracted correctly. I just want to remove the unknown user as it is tagged as such. Then the subsequent failed login without the unknown user designation.

Tags (3)
0 Karma

jtrucks
Splunk Employee
Splunk Employee

Might I suggest either experimenting with your field extraction to not have these entries OR just append:

NOT "*Unknown User*"

Does that fix it?

--
Jesse Trucks
Minister of Magic
0 Karma

antlefebvre
Communicator

Unfortunately this won't work. I have a dash that shows failed logins because the user is an unknown user. I have another dash that shows legitimate user failed logins. I want them to be mutually exclusive. That is I do not want to see the unknown users failures in my legitimate user dash. But the data source gives me 2 events for the unknown users. One with the (Unknown user) prefix on the username and the other with just the username. If I do a NOT command I will only filter out the (Unknown user) event. Leaving me with the other event from that user I want to remove.

0 Karma

lukejadamec
Super Champion

Can you post your method for extracting the user?

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...