I am using the search below to find the last login over a subnet in a 24hr range. Using the "dedup Account_Name" if the same Account_Name perform a login over more than one IP I will receive only one result. I am looking to find all last login over the entire range of ip address (src_ip)
Thank you in advance
index="main" Source_Network_Address="10.3.140.*" EventCode=4624 Account_Name="*" AND Account_Name !=CZ* AND Account_Name !=5* AND Account_Name !=CN* AND Account_Name !=ANONYMOUS* AND Security_ID="*" | dedup Account_Name | table Account_Name Security_ID src_ip _time
When posting code, be sure to mark it as code so that the system doesn't read an asterisk as a formatting command, and doesn't delete items in angle brackets as bad html. I've fixed that for you.
There are various ways - highlight the code and hit the code button (101 010), or put grave accents (`) before and after the entire chunk of code, or indent each line by at least four spaces. There's also a function key, IIRC.
Try this
index="main" Source_Network_Address="10.3.140." EventCode=4624 Account_Name="" AND Account_Name !=CZ* AND Account_Name !=5* AND Account_Name !=CN* AND Account_Name !=ANONYMOUS* AND Security_ID="*" | stats latest(Account_Name) latest(Security_ID) by src_ip _time
@sundareshr - There were some asterisks missing from the original code, please see the updated post.
sundareshr search worked, minus the small error...
| stats latest(_time) as Time latest(Account_Name) latest(Security_ID) by src_ip | fieldformat Time=strftime(Time, "%m/%m/%Y %H:%M:%S")
should be | stats latest(_time) as Time latest(Account_Name) latest(Security_ID) by src_ip | fieldformat Time=strftime(Time, "%m/%d/%Y %H:%M:%S")
The reason Account_Name is not reported is because you have a Account_Name="" in your search. Remove that. Also, make this change `.... | stats latest(_time) as Time latest(Account_Name) latest(Security_ID) by src_ip | fieldformat Time=strftime(Time, "%m/%m/%Y %H:%M:%S")