Is there a way to rename EventCodes xxxx field to "description" in timechart? Here is a sample search:
Account_Name=* (EventCode=4800 OR EventCode=4801 OR EventCode=4768) index=blah sourcetype="WinEventLog:Security" source="WinEventLog:Security" | timechart count by EventCode
Thanks!
hi smudge797
you say that my answer is good . Now vote it .
You should use a csv-Lookup here...
Just follow these steps:
Assuming your csv has the name winevents.csv
and has this structure:
EventCode,Description
513,Windows is shutting down
514,An authentication package has been loaded by the Local Security Authority
this would be your search:
Account_Name=* (EventCode=4800 OR EventCode=4801 OR EventCode=4768) index=blah sourcetype="WinEventLog:Security" source="WinEventLog:Security" | lookup winevents.csv EventCode OUTPUT Description | timechart count by Description
hi I am following the guideline but i am facing the error: Could not find all of the specified lookup fields in the lookup table" Please advise
Hi smudge,
Did you try CSV lookups ? Check this out
Hope it helps!
you can use replace
command to do it .
try like this:
... | replace 4800 with "The workstation was locked" in EventCode| replace 4801 with "The workstation was unlocked" in EventCode|.....
Hi
I rectified use case statement and retry
Account_Name=* (EventCode=4800 OR EventCode=4801 OR EventCode=4768) index=blah sourcetype="WinEventLog:Security" source="WinEventLog:Security"|eval description=case(EventCode=="4768","A Kerberos authentication ticket (TGT) was requested and User Logged in", EventCode=="4800" , "The workstation was locked" , EventCode=="4801" , "The workstation was unlocked") | timechart count by description
Thanks but i need the description to be something like:
4768 A Kerberos authentication ticket (TGT) was requested
4800 The workstation was locked
4801 The workstation was unlocked
4768 User Logged in
Rather than just listing the event codes.
just retry my new search code above
This worked from Chimell. Thanks
Account_Name=* (EventCode=4800 OR EventCode=4801 OR EventCode=4768) index=blah sourcetype="WinEventLog:Security" source="WinEventLog:Security"|eval description=case(EventCode=="4768","A Kerberos authentication ticket (TGT) was requested and User Logged in", EventCode=="4800" , "The workstation was locked" , EventCode=="4801" , "The workstation was unlocked") | timechart count by description
go accept and upvote answer of Mm chimell if you agree Mm smudge797
thanks.
Nice! Thanks
where are the query that you propose ?
i ok with Mm chimell where is your answer Mm smudge797
post your answer because it can help somebody
thanks.