This is my scenario
When I so a search on my event log there are 2 events for the same user. I have extracted the field as UserName1.
The UserName1 field data looks like this
r3452
(Unknown User) Bart
r2456
Bart
r3722
So Bart shows up in 2 events. One as Bart and another as (Unknown User) Bart.
I have tried several queries to create a table that removes both these entries but have been unsuccessful. Any help is appreciated.
Edit: Extraction for question below.
EXTRACT-UserName1 = (?i)<user_name>(?P<UserName1>[^<]+)
In the props.conf file. Extracting the data isn't so much my problem as they are extracted correctly. I just want to remove the unknown user as it is tagged as such. Then the subsequent failed login without the unknown user designation.
Might I suggest either experimenting with your field extraction to not have these entries OR just append:
NOT "*Unknown User*"
Does that fix it?
Unfortunately this won't work. I have a dash that shows failed logins because the user is an unknown user. I have another dash that shows legitimate user failed logins. I want them to be mutually exclusive. That is I do not want to see the unknown users failures in my legitimate user dash. But the data source gives me 2 events for the unknown users. One with the (Unknown user) prefix on the username and the other with just the username. If I do a NOT command I will only filter out the (Unknown user) event. Leaving me with the other event from that user I want to remove.
Can you post your method for extracting the user?