Hi,
My report is quite simirlar to this one but my idea is to build a timechart for the Domain user account lock outs from two days.
The idea is to compare the user account lockouts (Event ID 644) difference between yesterday and today.
I created the search but something goes wrong as I get less matchings than running the search separately.
sourcetype="WinEventLog:Security" EventCode="644" earliest=-0d@d latest=now | eval ReportKey="today" | append [search sourcetype="WinEventLog:Security" EventCode="644" earliest=-1d@d latest=-0d@d | eval ReportKey="yesterday"] | eval _time=if(ReportKey=="yesterday",_time+86400,_time) | timechart span=120m c(EventCode) by ReportKey
Thank you.
... View more