Re: count eval, error using AND

nataliamur · ‎12-03-2019

Hello, I'd like to count events from Windows Logs in my search that include both EventCode="4624" as well as Account_Name!=ssh*, so that it would count events that have event code=4624 and doesn't have an account name starting with ssh.
I'm trying with this:
| stats count(eval(EventCode="4624") AND Account_Name!-=ssh*) as Logged_On
but an error shows up telling "The eval expression for dynamic field 'eval(EventCode="4624") AND eval(Nazwa_konta!=ssh*)' is invalid. Error='The operator at ') AND eval(Nazwa_konta!=ssh*' is invalid.'."
Any ideas how to make it fix?

kamlesh_vaghela · ‎12-03-2019

@nataliamur

Can you please try this?

YOUR_SEARCH | stats count(eval(EventCode="4624" AND NOT like(Account_Name,"ssh%"))) as Logged_On

You can change field name and comparison as per your requirement.

Sample:

| makeresults 
| eval EventCode="4624",Account_Name="ssh" 
| stats count(eval(EventCode="4624" AND NOT like(Account_Name,"ssh%"))) as Logged_On

Thanks

nataliamur · ‎12-09-2019

Hi,

maybe I should give you a wider code of what I'm trying to do:

source="WinEventLog:Security"
| stats count(eval(EventCode="4624" AND NOT like(Account_Name,"ssh%")))) as Logged_ON count(eval(EventCode="4625")) as Fail by ComputerName
| where Logged_On>0 AND Fail >2

So I'm trying to put in "Logged_On" these events that have EventCode=4624 and don't have an account name: ssh.

I've tried what you suggested and didn't work.

count eval, error using AND

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...

Splunk APM: New Product Features + Community Office Hours Recap!

Index This | Forward, I’m heavy; backward, I’m not. What am I?