Create new Field and Assign existing field in transforms.conf

kholleran — Tue, 27 Jul 2010 07:39:44 PDT

Thanks very much! I think this is what I am after!

Create new Field and Assign existing field in transforms.conf

gkanapathy — Thu, 15 Jul 2010 13:29:39 PDT

how about ... | eval User_Name=coalesce(User_Name,Account_Name) | stats count by User_Name

Create new Field and Assign existing field in transforms.conf

kholleran — Thu, 15 Jul 2010 11:43:36 PDT

Hello,

I am running into an issue where I want to report on the number of logins by server and user. The issue I have is that it appears in the windows 2003 server security event log the user is defined by the username field. However, in Windows 2008 server it is Account Name.

So if I did something like:
source="WinEventLog:Security" EventCode="4624" OR EventCode="528" daysago="7" | stats count by host, User_Name | sort host

only Windows 2003 is showing up due to User_Name. I have to have:
source="WinEventLog:Security" EventCode="4624" OR EventCode="528" daysago="7" | stats count by host, Account_Name | sort host

for Win 2008. I would like all this on one report. I tried something like:
source="WinEventLog:Security" EventCode="4624" OR EventCode="528" daysago="7" | stats count by host, (User_Name OR Account_Name) | sort host
which did not work. So I am figuring I need to write a transforms. All I want to do is extract the Account_Name and assign it to a field called User_Name.

I have written more complex transforms but for some reason can't get my mind around this simple one in transforms.conf.

Thanks.

Kevin

Splunk Base : SplunkGeneral : #4408

Create new Field and Assign existing field in transforms.conf

Create new Field and Assign existing field in transforms.conf

Create new Field and Assign existing field in transforms.conf