The venerable old-skool Splunk forums are now closed. Feel free to search for old content here, but new posts are no longer supported.

Instead, please visit the thriving community at answers.splunk.com to ask and answer questions about your Splunk deployment and how to get the most out of it.

Forums: SplunkGeneral: Create new Field and Assign existing field in transforms.conf

Previous Topic: Adding additional servers to *Nix app?  |   Next Topic: How do I remove Sources?


Posts 1–3 of 3
1
posted by: kholleran  |  posts
date: July 15, 2010
permalink

Hello,

I am running into an issue where I want to report on the number of logins by server and user. The issue I have is that it appears in the windows 2003 server security event log the user is defined by the username field. However, in Windows 2008 server it is Account Name.

So if I did something like:
source="WinEventLog:Security" EventCode="4624" OR EventCode="528" daysago="7" | stats count by host, User_Name | sort host

only Windows 2003 is showing up due to User_Name. I have to have:
source="WinEventLog:Security" EventCode="4624" OR EventCode="528" daysago="7" | stats count by host, Account_Name | sort host

for Win 2008. I would like all this on one report. I tried something like:
source="WinEventLog:Security" EventCode="4624" OR EventCode="528" daysago="7" | stats count by host, (User_Name OR Account_Name) | sort host
which did not work. So I am figuring I need to write a transforms. All I want to do is extract the Account_Name and assign it to a field called User_Name.

I have written more complex transforms but for some reason can't get my mind around this simple one in transforms.conf.

Thanks.

Kevin

2
posted by: gkanapathy  |  posts
date: July 15, 2010
permalink

how about ... | eval User_Name=coalesce(User_Name,Account_Name) | stats count by User_Name

3
posted by: kholleran  |  posts
date: July 27, 2010
permalink

Thanks very much! I think this is what I am after!