- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: How to Sort the "count by..." results
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I am using the search below for the locked out accounts - Should be possible to sort the result by the user with high number
Thank you in advance
`windowsindex` `windowssourcetype` "EventCode=644" OR "EventCode=4740" | eval Win2K8_acc = mvindex(Account_Name,1) | eval "Locked_Account"=coalesce(Win2K8_acc,Target_Account_Name) | timechart count by Locked_Account
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Do you need the timechart or a simple table would do the job?
If so:
windowsindex windowssourcetype "EventCode=644" OR "EventCode=4740"
| eval Win2K8_acc = mvindex(Account_Name,1)
| eval "Locked_Account"=coalesce(Win2K8_acc,Target_Account_Name)
| top limit=0 Locked_Account
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Do you need the timechart or a simple table would do the job?
If so:
windowsindex windowssourcetype "EventCode=644" OR "EventCode=4740"
| eval Win2K8_acc = mvindex(Account_Name,1)
| eval "Locked_Account"=coalesce(Win2K8_acc,Target_Account_Name)
| top limit=0 Locked_Account
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
I need a Timechart with the User legend sorted by user with highest number of locked-out instead of legend sort in alphabetic order.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
That is a bit more complicated mainly because you don't have the totals per user and time in the same table.
The following might give you the best of both worlds:
windowsindex windowssourcetype "EventCode=644" OR "EventCode=4740"
| eval Win2K8_acc = mvindex(Account_Name,1)
| eval "Locked_Account"=coalesce(Win2K8_acc,Target_Account_Name)
| timechart count by Locked_Account
| untable _time Locked_Account count
| eventstats sum(count) as total_count by Locked_Account
| xyseries _time Locked_Account count total_count
Let me know if that helps
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
your search duplicate the results as "count" and "total_count" reporting and the user list is empty
Using the search below whit a "line chart" the Legend is in alphabetic order - I am looking to sort the legend from the user with the highest number of locked-out events.
`windowsindex` `windowssourcetype` "EventCode=644" OR "EventCode=4740" | eval Win2K8_acc = mvindex(Account_Name,1) | eval "Locked_Account"=coalesce(Win2K8_acc,Target_Account_Name) | timechart count by Locked_Account
Detecting Remote Code Executions With the Splunk Threat Research Team
Observability | Use Synthetic Monitoring for Website Metadata Verification
More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk
