Hello,
So I'm looking to a use case where I have to create a table that shows multiple failed logins on the same workstation by different usernames.
Here's what I have so far:
index=windows* sourcetype=WinEventLog:Security EventCode=4625 | eval AccountName=mvindex(Account_Name, 1) | | stats values(AccountName) by Workstation_Name
That shows all accounts that failed to log in. I want the result where there are multiple failed accounts on the same workstation. So something like ....| where AccountName > 1
.
Please let me know if this makes sense. Thanks!
Try like this
index=windows* sourcetype=WinEventLog:Security EventCode=4625 | eval AccountName=mvindex(Account_Name, 1) | stats values(AccountName) as Accounts by Workstation_Name | where mvcount(Accounts)>1
Try like this
index=windows* sourcetype=WinEventLog:Security EventCode=4625 | eval AccountName=mvindex(Account_Name, 1) | stats values(AccountName) as Accounts by Workstation_Name | where mvcount(Accounts)>1
Dude!!! Thank you very much. I was not aware of the mvcount expression. This worked like a charm. Cheers!