I have a customer that is attempting to check a field “Account_Name”. Some of the events have multiple account names in the field. He needs to break them out so that he has two Account_Name entries instead of one with two values. I sent him the following links but they appear to not be working for him:
https://answers.splunk.com/answers/136067/how-split-up-a-string-into-multiple-fields.html
https://answers.splunk.com/answers/345937/how-to-transpose-a-table-to-make-the-values-in-col.html
Below is the search he is conducting:
index=r0* sourcetype=WinEventLog* (Account_Name=* OR user=* OR User_Name=*)
| lookup Server_IP_r0a ip as src_ip OUTPUT filter
| search filter=0
| eval Local_Account_Name=upper(coalesce(Account_Name,user,User_Name))
| table Account_Name
Here is a sample of his desired results:
Account_Name
-
Administrator
Notice that the Account_Name field has two entries in it. Sometimes the entries are two names and sometimes it is a “-“ and a name. He wants to take those two entries in one field and split them into one entry in two fields so that Account_Name of “-“ and Administrator becomes Account_Name of “-“ and Account_Name of Administrator so that he can run both names through the same search and lookup commands.
Any suggestions or help would be greatly appreciated. Thank you.
↧