We have a batch search that looks for password changes on Windows boxes that happened "yesterday" and sorts the results by what system the change took place on.
"Change Password Attempt" OR "attempt was made to change" | rex "Caller User Name:\s(?<Caller_User_Name>\S+).*" | rex "Target Account Name:\s(?<Target_Account_Name>\S+).*" | sort host
The results are mailed out in a spreadsheet to be reviewed.
If a user has more than 1 password change on a system I would like to be able to have the results show a summary indicating that the user had x password changes rather than multiple lines each listing 1 occurrence of a change. I still want the results to be separated by host, so if a user changed their password on more than one system, they will show up under each system as having changed their password x times on that system.
Thanks, Bill
Sounds like a simple stats
command is all you need.
Try this:
"Change Password Attempt" OR "attempt was made to change" | rex "Caller User Name:\s(?<Caller_User_Name>\S+)" | rex "Target Account Name:\s+(?<Target_Account_Name>\S+)" | stats count by Target_Account_Name, Caller_User_Name, host | sort host
BTW, your search would be faster if you include some kind of source/sourcetype as part of your search criteria. Probably something like: sourcetype=WinEventLog:Security
Sounds like a simple stats
command is all you need.
Try this:
"Change Password Attempt" OR "attempt was made to change" | rex "Caller User Name:\s(?<Caller_User_Name>\S+)" | rex "Target Account Name:\s+(?<Target_Account_Name>\S+)" | stats count by Target_Account_Name, Caller_User_Name, host | sort host
BTW, your search would be faster if you include some kind of source/sourcetype as part of your search criteria. Probably something like: sourcetype=WinEventLog:Security
You can give both of us some points by officially accepting this answer. Just click on the check on the side of this answer.
That worked like I was hoping, Thanks!