I have been trying with the below query to capture the failed login attempts made on the windows servers.
source="WinEventLog:Security" EventCode="4625" OR EventCode="539" OR EventCode="529" OR EventCode="531" eval User_Name=coalesce(User_Name,Account_Name) | stats count,list(User_Name)by host
But the above query will give output as below-
host count list(User_Name)
dc1server01 1 john john
It says count as 1 but in the list it gives username twice(john). I used dedup but i still i am not able to fix the issue.
Can anyone please let me know the solution for this?
Hey,
Can you post what your actual logs look like? I wrote the same report but used mvindex instead of coalesce as i was having an issue where the Account name field was listed more than once and i had to specify which one i needed.
It looks like you are trying to combine two fields into one using coalesce. Try using case instead, example:
eval UserName=case(k8cname!="", k8cname, User_Name!="", User_Name)
This takes field k8cname and User_Name and combines them into one field UserName. A little roundabout but works.
I-Man