Hello, I'd like to count events from Windows Logs in my search that include both EventCode="4624" as well as Account_Name!=ssh*, so that it would count events that have event code=4624 and doesn't have an account name starting with ssh.
I'm trying with this:
| stats count(eval(EventCode="4624") AND Account_Name!-=ssh*) as Logged_On
but an error shows up telling "The eval expression for dynamic field 'eval(EventCode="4624") AND eval(Nazwa_konta!=ssh*)' is invalid. Error='The operator at ') AND eval(Nazwa_konta!=ssh*' is invalid.'."
Any ideas how to make it fix?
@nataliamur
Can you please try this?
YOUR_SEARCH | stats count(eval(EventCode="4624" AND NOT like(Account_Name,"ssh%"))) as Logged_On
You can change field name and comparison as per your requirement.
Sample:
| makeresults
| eval EventCode="4624",Account_Name="ssh"
| stats count(eval(EventCode="4624" AND NOT like(Account_Name,"ssh%"))) as Logged_On
Thanks
Hi,
maybe I should give you a wider code of what I'm trying to do:
source="WinEventLog:Security"
| stats count(eval(EventCode="4624" AND NOT like(Account_Name,"ssh%")))) as Logged_ON count(eval(EventCode="4625")) as Fail by ComputerName
| where Logged_On>0 AND Fail >2
So I'm trying to put in "Logged_On" these events that have EventCode=4624 and don't have an account name: ssh.
I've tried what you suggested and didn't work.