Hi, 

I am attempting to update a notable.

The notable allows us to identify if a AWS new user has been created via a API or via AWS Management Console. This is via the ingestion of the AWS CloudTrial events logs in to our Splunk instance.

We have a situation were a number of the AWS new users are being created in our Dev and Test accounts.

I am attempting to filter out these specific events and only focus on the AWS new users being created in other accounts. The Dev and Test AWS accounts have there own specific 'arn' prefixes, which uniquely identify which AWS resources assigned to which account. 

Could someone please provide some help as whether on right track with the revised SPL, should I being another attribute from the AWS CloudTrial logs or the 'arn' the right direction.

index=aws sourcetype="aws:cloudtrail" (arn!="arn*xxxxxxxxxxxx*" OR arn!="arn*xxxxxxxxxxxx*") AND (eventName=CreateUser OR eventName=CreateLoginProfile OR eventName=CreateAccount) errorCode=success
| rex field=userIdentity.arn ".*\/(?<src_user>.*)$"
| rename requestParameters.accountName as account_name requestParameters.userName as user_name eventName as action
| eval user = coalesce(account_name,user_name)
| fields requestID src_user action user eventSource urgency

Thanks again in advance, appreciate any assistance or guidance anyone can offer.