I am looking into login logs from different Event IDs. Some events have two fields for Account_Name, while other events have only one Account_Name in their log.
What would my query be if I needed to compensate for either scenarios?
I have performed a query using mvindex(Account_Name, 1) to obtain the second Account_Name in the log. However, I am stuck where if there is no second Account_Name being used. To see if there is an issue, I inserted... | fillnull value=null |
My query is as follow:
index=main (EventCode=4624 OR EventCode=4647 OR EventCode=4648 OR EventCode=4768 OR EventCode=4769 OR EventCode=4770 OR EventCode=4771 OR EventCode=4774 OR EventCode=4776 OR EventCode=4778 OR EventCode=4779) | eval Account_Name=mvindex(Account_Name,1) | fillnull value=NULL | stats count by Account_Name | sort - count
I don't expect to see Null in my results as each Event should have at least one Account_Name.
Thank you in advance for any help.
Try like this. The mvindex(Account_Name,-1) will take the last item in the Account_Name multivalued field. If there are 2 items, 2nd item is picked and if there is only a single item, same will be returned.
index=main (EventCode=4624 OR EventCode=4647 OR EventCode=4648 OR EventCode=4768 OR EventCode=4769 OR EventCode=4770 OR EventCode=4771 OR EventCode=4774 OR EventCode=4776 OR EventCode=4778 OR EventCode=4779) | eval Account_Name=mvindex(Account_Name,-1) | stats count by Account_Name | sort - count