Solved: Re: Why is there a null field appended to a userna...

splunktrainingu · ‎05-22-2020

This is my search query for my alert.

index=test EventCode=4625 | eval Account_Name=mvindex(Account_Name, -1) | search NOT Account_Name="BENQ$" NOT Account_Name="-" | stats count by Account_Name
| where count >= 2

So the alert will trigger if a person fails to login 2 times or more. The PDF shows a the username (johnsmithnull) but when opening it in the table it shows johnsmith and the count of how many times. Is Johnsmithnull a title the gets appended by splunk?

splunktrainingu · ‎05-22-2020

As richgalloway stated: "Splunk's PDF generator has its quirks. Consider putting the results inline instead of as an attachment (or both)."
he recommended using the inline result

View solution in original post

splunktrainingu · ‎05-22-2020

As richgalloway stated: "Splunk's PDF generator has its quirks. Consider putting the results inline instead of as an attachment (or both)."
he recommended using the inline result

richgalloway · ‎05-22-2020

Splunk's PDF generator has its quirks. Consider putting the results inline instead of as an attachment (or both).

---
If this reply helps you, Karma would be appreciated.

splunktrainingu · ‎05-22-2020

I am going to run some tests then. But what is different about inline vs PDF?

richgalloway · ‎05-22-2020

Putting the results inline means recipients see the data in the body of the email, unadulterated by the PDf generator.

---
If this reply helps you, Karma would be appreciated.

splunktrainingu · ‎05-22-2020

Thank you!

Why is there a null field appended to a username in my Alerts.

alert condition

Get the T-shirt to Prove You Survived Splunk University Bootcamp

Introducing the Splunk Community Dashboard Challenge!

Wondering How to Build Resiliency in the Cloud?