I'm new in writing searches with a lookup table and need help knowing what's wrong with my logic. Here's my search so far.
index=wineventlog eventcode=4624 | eval hour_of_the_day=strftime(_time, "%H") | where hour_of_the_day >=17 or hour_of_the_day < 6 | eval hour_of_the_day=strftime(_time, "%H") | where hour_of_the_day >=17 or hour_of_the_day < 6 | table _time [| inputlookup domain_admins_lookup | fields lastLogonTimestamp] | table lastLogonTimestamp, displayName
I want to track all the after hours domain admin logins. Please help. Thank.
... View more