- Splunk Answers
- :
- Splunk Administration
- :
- Security
- :
- help with AD user search where user!="*$"
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
I'm doing searches for account login failures using EventCode="4625".
The problem is the search returns a lot of results of user "$" trying to log onto itself or other hosts. I believe these logon event types are something to do with Remote Desktop Services or mapping drives from one host to another etc, but i'm trying to filter them out of my search.
So far my search looks like:
index=wineventlog sourcetype=WinEventLog:Security host=xxxx* | where EventCode="4625"
| where user!="*$" | stats count by user, ComputerName, Eventcode,
| sort user, - count
| rename Eventcode as "Windows Event ID", count as "Number of Events", user as "Active Directory Account"
I'm trying to use where user!"$" (i.e where user doesnt equal anything ending with a $) to filter it out but it's not working.
I've also tried where user!="xxxx" and where user!="xxxx*$" and that hasn't worked either.
Any ideas? Thanks in advance!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
you can filter directly .. .no need for | where ....
like this;
index=wineventlog sourcetype=WinEventLog:Security host=xxxx* EventCode="4625" user!="*$"
| stats count as "Number of Events" by user, ComputerName, Eventcode,
| sort user, - count
| rename Eventcode as "Windows Event ID", user as "Active Directory Account"
highly recommend to go through splunk fundamentals 1
https://splunk.com/en_us/training/courses/splunk-fundamentals-1.html
and read the search manual / go through the search tutorial in deatil
https://docs.splunk.com/Documentation/Splunk/7.3.1/SearchTutorial/WelcometotheSearchTutorial
good luck
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
you can filter directly .. .no need for | where ....
like this;
index=wineventlog sourcetype=WinEventLog:Security host=xxxx* EventCode="4625" user!="*$"
| stats count as "Number of Events" by user, ComputerName, Eventcode,
| sort user, - count
| rename Eventcode as "Windows Event ID", user as "Active Directory Account"
highly recommend to go through splunk fundamentals 1
https://splunk.com/en_us/training/courses/splunk-fundamentals-1.html
and read the search manual / go through the search tutorial in deatil
https://docs.splunk.com/Documentation/Splunk/7.3.1/SearchTutorial/WelcometotheSearchTutorial
good luck
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
That did the trick! Thanks so much.
Yeah fair call, i'd better go back and have another look.
ICYMI - Check out the latest releases of Splunk Edge Processor
Introducing the 2024 SplunkTrust!
Introducing the 2024 Splunk MVPs!
