I'm almost finished with my search When I do this, search I've got what I want, but my count is not correct...
*I would like to count the status "0xc000006d" of a User on a Subject since his LastSucces. *
Here I count all results with this status since the beginning ..
Could you help me please ? 🙂
index = security EventCode = 4625
| where Status=="0xc000006d"
| eval timeE=strftime(_time, "%Y-%m-%d %H:%M:%S")
| append [
search index = security EventCode = 4624
| eval timeS=strftime(_time, "%Y-%m-%d %H:%M:%S")
]
| stats first(timeE) as LastEchec first(timeS) as LastSucces by Target_User_Name SubjectUserName
| eval st = if(LastSucces!= "", "OK", "NOK")
| eval compare=strptime(LastEchec,"%Y-%m-%d %H:%M:%S")
| where (st=="NOK" OR strptime(LastEchec,"%Y-%m-%d %H:%M:%S")>strptime(LastSucces,"%Y-%m-%d %H:%M:%S"))
| fillnull value=NULL LastSucces
| eval diff = tostring((now()-strptime(LastEchec,"%Y-%m-%d %H:%M:%S")), "duration")
| join Target_User_Name SubjectUserName
[
search index = security EventCode = 4625 Status="0xc000006d" earliest= **LastSucces**
| stats count by Target_User_Name SubjectUserName
]
| fields Target_User_Name SubjectUserName LastEchec LastSucces diff count
... View more