Hi,
I have my Windows logs with all users and I have a lookup which has few user names. I need to display the users which are not in the lookup table. Similar searches of mine works for all the cases, but in this case, it's giving a list of all users which are there in my Windows logs without doing the NOT.
My search is:
index=windows EventID=4624 OR EventID=540 OR EventID=528 |rex field=Username "\\\\(?.+)"
|search NOT [|inputlookup trusted_users.csv|table names|rename names as user]
|eval c_time=strftime(_time,"%m/%d/%y %H:%M:%S")
|stats values(users) by host
Someone please point out the error.
Thanks,
Kirana
... View more