Hello Splunkers, Problem: Splunk query returns events where "Account_Name" appears twice, thus returning multiple/inaccurate Account Name results. Solution: I want to rex grab the second instance of Account_Name. Here is an example of output: Message=An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Type: 3 New Logon: Security ID: S-1-5-21-1616162011-3457912633-3195248547-20163 Account Name: johndoe Account Domain: THISDOMAIN Logon ID: stuff_here Logon GUID: {00000000-0000-0000-0000-000000000000} In this situation, I want to grab "johndoe". I am not sure how to skip all of the lines in between the first Account Name and the second, then precede to pull "johndoe". Thanks for your answers and help in advance. ... View more

Hello Splunkers, I have a Dashboard View that is auto-refreshing every 5 minutes. Working well. I don't know what I changed in my XML, but for some reason every 5 minutes it auto-refreshes itself into Edit Mode. I like that it is refreshing. I don't like that it is putting it into edit mode automatically. Anyone have an answer for this? Thanks! ... View more

Hello all, I have a query that is locating users that are logging in to our exchange server. I have an alert set up that sends the username to a static e-mail address. I would like to make that static e-mail address dynamic based on the results pulled from the table. i.e.: index=exchange these_terms_here --> yields --> johndoe@google.com Instead of alerting ME that johndoe@google.com has logged in, I want to alert johndoe@google.com that he has logged in. I was thinking that Splunk uses Splunk Alert: $name$, so I could just call my field from the search results $email$, but that appears to be local to the create alert function. Other than a Python script, thoughts? I will do it w/ Python if there are no local-to-Splunk options. Thanks! ... View more

Hello all, I am wanting to build a panel in my Dashboard that allows me to see a small sample of the login trends of users. I think a Sparkline would be a good method to use, based on its compact size and trend-viewing capability. I've been tinkering around with Sparkline but can't quite get what I'm looking for. I liked the example Splunk Documentation gave of having the magnitudes of the Earthquakes, I feel like my solution should be easier than that. Alas, I am stuck. My query asks: search this_index this_sourcetype logon_message etc.etc. | stats count by Account_Name | sort count This shows me my account_names with the highest number of successful logins. Now I'd like to see that in a Sparkline over a short period of time. Thoughts? Thanks! ... View more

Hello, After some time spent Googling/Splunking yesterday, I could not find a unique solution to my problem. Goal: I have a list of services (splunkd.exe, splunkweb.exe, svchost.exe, etc) that I want to exclude from a search without having a query string that is 25 lines. I want to read the exclusion list from a CSV. Query pseudocode: Search index to see if any services have been installed on any systems. EXCLUDE services from . Good things: If I just have | inputlookup this_lookup | fields services, then I can see all of my values of that field in a table in splunk. Bad things: If I say NOT | inputlookup this_lookup | fields services | It doesn't recognize the match between the values in the CSV and the service_file_names in the logs, returns ALL results. Bottom line (& at the end of the day? ;)): I noticed that in the events, the Service_File_Name is a full path, i.e. C:\Win\temp\this.sys, sometimes with quotes, sometimes with %sys%. Is it possible that the formatting I have stored these service file names in is not appropriate? It works as a query to say NOT (this.sys OR mcafee.exe), so I used the same formatting for those service names in my CSV. Looking for direction, thank you. P.S. I've looked at almost all of the inputlookup questions (and read the documentation) and haven't found my solution. ... View more