index=_audit tag=authentication | stats count by user, info | sort - info
this works fine, but it includes LDAP as well. let me check how to get only local accounts.
one more question - do you have both Local accounts and LDAP authentication together ah?!?!
index=_audit tag=authentication | stats count by user, info | sort - info
this works fine, but it includes LDAP as well. let me check how to get only local accounts.
one more question - do you have both Local accounts and LDAP authentication together ah?!?!
looks like source and sourcetype are audittrail. i hope this is same for LDAP and local users as well. please check it and update us(for those who uses LDAP only)
index=_audit source = audittrail sourcetype = audittrail
Thank! It got both Ldap and local accounts