Re: Table creation without Unknown Users

antlefebvre · ‎08-01-2013

This is my scenario

When I so a search on my event log there are 2 events for the same user. I have extracted the field as UserName1.

The UserName1 field data looks like this

r3452

(Unknown User) Bart

r2456

Bart

r3722

So Bart shows up in 2 events. One as Bart and another as (Unknown User) Bart.

I have tried several queries to create a table that removes both these entries but have been unsuccessful. Any help is appreciated.

Edit: Extraction for question below.

EXTRACT-UserName1 = (?i)<user_name>(?P<UserName1>[^<]+)

In the props.conf file. Extracting the data isn't so much my problem as they are extracted correctly. I just want to remove the unknown user as it is tagged as such. Then the subsequent failed login without the unknown user designation.

jtrucks · ‎08-02-2013

Might I suggest either experimenting with your field extraction to not have these entries OR just append:

NOT "*Unknown User*"

Does that fix it?

--
Jesse Trucks
Minister of Magic

antlefebvre · ‎08-02-2013

Unfortunately this won't work. I have a dash that shows failed logins because the user is an unknown user. I have another dash that shows legitimate user failed logins. I want them to be mutually exclusive. That is I do not want to see the unknown users failures in my legitimate user dash. But the data source gives me 2 events for the unknown users. One with the (Unknown user) prefix on the username and the other with just the username. If I do a NOT command I will only filter out the (Unknown user) event. Leaving me with the other event from that user I want to remove.

lukejadamec · ‎08-01-2013

Can you post your method for extracting the user?

Table creation without Unknown Users

Join Us for Splunk University and Get Your Bootcamp Game On!

.conf24 | Learning Tracks for Security, Observability, Platform, and Developers!

Announcing Scheduled Export GA for Dashboard Studio