I am trying to search our WIndows logs and our Fortinet logs for specific info.
(index=windows) OR (Index=fortinet) AND EventCode=4624 dstport=3389
I am having no luck playing with any combination, trying to get the EventCode(Windows) and dstport(Fortinet) to display the data I want. Any help would be appreciated.
and
is implied. is EventCode and dstport in both indexes? if not, you'll want to put that field filter inside the correct index param.
(index=windows) OR (index=fortinet) (EventCode=4624 OR dstport=3389)
or (for example)
(index=windows EventCode=4624) OR (index=fortinet dstport=3389)
and
is implied. is EventCode and dstport in both indexes? if not, you'll want to put that field filter inside the correct index param.
(index=windows) OR (index=fortinet) (EventCode=4624 OR dstport=3389)
or (for example)
(index=windows EventCode=4624) OR (index=fortinet dstport=3389)
That was it, thank you very much, I am now one baby step closer to being a Splunk Guru!!! Below is my whole search now working perfectly!!!
(index=windows EventCode=4624) OR (index=fortinet dstport=3389) | stats sparkline count by srccountry,srcip,dstip | sort srccountry |lookup dnslookup clientip as srcip OUTPUT clienthost as Attacker_Host | lookup dnslookup clientip as dstip OUTPUT clienthost as FH_Computer