I have this search 1:
index=br_activedirectory_microsoft EventCode=4624 Account_Domain=AGBANESPA Account_Name=A*
| fields Account_Domain, Account_Name, Source_Network_Address
| dedup Account_Domain, Account_Name, Source_Network_Address
| lookup dnslookup clientip as Source_Network_Address OUTPUT clienthost
| eval user = substr(mvindex(Account_Name,1),2,4)
| eval hostname = substr(clienthost,3,4)
| where user !=hostname
| lookup new_hostname_lookup hostname as hostname OUTPUT ENDEREÇO, UF, REG, CEP , REDE
| lookup new_user_lookup user as user OUTPUT ENDEREÇO_user, UF_user, REG_user, CEP_user ,REDE_user
| where REG !=REG_user AND REDE !=REDE_user
| table Account_Name
| rename Account_Name as "Siglas dos usúarios com acessos indevidos"
and I have this search 2:
index="br_activedirectory_microsoft" EventCode=4624 OR EventCode=4634 Account_Name=A* Account_Domain=AGBANESPA
| search NOT (Account_Name=$$ OR Account_Name=SYSTEM OR Account_Name=ANONYMOUS*)
| eval User=if(mvcount(Account_Name)>1, mvindex(Account_Name,1), mvindex(Account_Name, 0))
| eval User=lower(User)
| search NOT (User=*$$ OR User=system)
| lookup dnslookup clientip as Source_Network_Address OUTPUT clienthost
| transaction User maxevents=2 startswith="EventCode=4624" endswith="EventCode=4634" maxspan=-1
| eval Logofftime=_time+duration
| convert timeformat="%m/%d/%y %H:%M:%S" ctime(_time) as Logontime
| convert timeformat="%m/%d/%y %H:%M:%S" ctime(Logofftime) as Logofftime
| eval h=floor(duration/3600) | eval m=floor((duration-(h*3600))/60) | eval s=floor(duration-(h*3600)-(m*60)) | eval SessionDuration=h."h ".m."m ".s."s"
| dedup Logontime, Logofftime, SessionDuration, User, clienthost
| table Logontime, Logofftime, SessionDuration, User, clienthost
| sort User ComputerName
I would like to put the search "1" inside of the search "2" . I have tried doing this following the tutorials, but it's still not working, ---------------I have used the brackets [] and I was sure that the fields and the index were the same in both searches.
index="br_activedirectory_microsoft" EventCode=4624 OR EventCode=4634 Account_Name=A* Account_Domain=AGBANESPA
[ search index="br_activedirectory_microsoft" EventCode=4624 OR EventCode=4634 Account_Domain=AGBANESPA Account_Name=A*
| fields Account_Domain, Account_Name, Source_Network_Address
| dedup Account_Domain, Account_Name, Source_Network_Address
| lookup dnslookup clientip as Source_Network_Address OUTPUT clienthost
| eval user = substr(mvindex(Account_Name,1),2,4)
| eval hostname = substr(clienthost,3,4)
| where user !=hostname
| lookup new_hostname_lookup hostname as hostname OUTPUT ENDEREÇO, UF, REG, CEP , REDE
| lookup new_user_lookup user as user OUTPUT ENDEREÇO_user, UF_user, REG_user, CEP_user ,REDE_user
| where REG !=REG_user AND REDE !=REDE_user
| table Account_Name
| rename Account_Name as "Siglas dos usúarios com acessos indevidos"]
| search NOT (Account_Name=$$ OR Account_Name=SYSTEM OR Account_Name=ANONYMOUS*)
| eval User=if(mvcount(Account_Name)>1, mvindex(Account_Name,1), mvindex(Account_Name, 0))
| eval User=lower(User)
| search NOT (User=*$$ OR User=system)
| lookup dnslookup clientip as Source_Network_Address OUTPUT clienthost
| transaction User maxevents=2 startswith="EventCode=4624" endswith="EventCode=4634" maxspan=-1
| eval Logofftime=_time+duration
| convert timeformat="%m/%d/%y %H:%M:%S" ctime(_time) as Logontime
| convert timeformat="%m/%d/%y %H:%M:%S" ctime(Logofftime) as Logofftime
| eval h=floor(duration/3600) | eval m=floor((duration-(h*3600))/60) | eval s=floor(duration-(h*3600)-(m*60)) | eval SessionDuration=h."h ".m."m ".s."s"
| dedup Logontime, Logofftime, SessionDuration, User, clienthost
| table Logontime, Logofftime, SessionDuration, User, clienthost
| sort User ComputerName
Could you guys help making the right search?
Thanks for all.
Your subsearch has this at the end:
| rename Account_Name as "Siglas dos usúarios com acessos indevidos"
The final field has to be a field that is in your data. If you remove this line, you will have what you need, as the field passed to the base search will now be a field that actually exists in the index.
Your subsearch has this at the end:
| rename Account_Name as "Siglas dos usúarios com acessos indevidos"
The final field has to be a field that is in your data. If you remove this line, you will have what you need, as the field passed to the base search will now be a field that actually exists in the index.
It was the problem! thanks nvanderwalt ,you are the man!
Can you please explain what you want to achieve? And in what sense "it's still not working"? What output do you get, how is that different from what you expected?
What troubleshooting have you done so far? Have you executed the subsearch (in that exact form) on its own, to confirm that gives the expected result?
I've added backticks for better readability.
Skalli