I am using the search below for the locked out accounts - Should be possible to sort the result by the user with high number
Thank you in advance
`windowsindex` `windowssourcetype` "EventCode=644" OR "EventCode=4740" | eval Win2K8_acc = mvindex(Account_Name,1) | eval "Locked_Account"=coalesce(Win2K8_acc,Target_Account_Name) | timechart count by Locked_Account
Do you need the timechart or a simple table would do the job?
If so:
windowsindex windowssourcetype "EventCode=644" OR "EventCode=4740"
| eval Win2K8_acc = mvindex(Account_Name,1)
| eval "Locked_Account"=coalesce(Win2K8_acc,Target_Account_Name)
| top limit=0 Locked_Account
Do you need the timechart or a simple table would do the job?
If so:
windowsindex windowssourcetype "EventCode=644" OR "EventCode=4740"
| eval Win2K8_acc = mvindex(Account_Name,1)
| eval "Locked_Account"=coalesce(Win2K8_acc,Target_Account_Name)
| top limit=0 Locked_Account
Hi,
I need a Timechart with the User legend sorted by user with highest number of locked-out instead of legend sort in alphabetic order.
That is a bit more complicated mainly because you don't have the totals per user and time in the same table.
The following might give you the best of both worlds:
windowsindex windowssourcetype "EventCode=644" OR "EventCode=4740"
| eval Win2K8_acc = mvindex(Account_Name,1)
| eval "Locked_Account"=coalesce(Win2K8_acc,Target_Account_Name)
| timechart count by Locked_Account
| untable _time Locked_Account count
| eventstats sum(count) as total_count by Locked_Account
| xyseries _time Locked_Account count total_count
Let me know if that helps
your search duplicate the results as "count" and "total_count" reporting and the user list is empty
Using the search below whit a "line chart" the Legend is in alphabetic order - I am looking to sort the legend from the user with the highest number of locked-out events.
`windowsindex` `windowssourcetype` "EventCode=644" OR "EventCode=4740" | eval Win2K8_acc = mvindex(Account_Name,1) | eval "Locked_Account"=coalesce(Win2K8_acc,Target_Account_Name) | timechart count by Locked_Account