I have this search 1:
index=br_activedirectory_microsoft EventCode=4624 Account_Domain=AGBANESPA Account_Name=A*
| fields Account_Domain, Account_Name, Source_Network_Address
| dedup Account_Domain, Account_Name, Source_Network_Address
| lookup dnslookup clientip as Source_Network_Address OUTPUT clienthost
| eval user = substr(mvindex(Account_Name,1),2,4)
| eval hostname = substr(clienthost,3,4)
| where user !=hostname
| lookup new_hostname_lookup hostname as hostname OUTPUT ENDEREÇO, UF, REG, CEP , REDE
| lookup new_user_lookup user as user OUTPUT ENDEREÇO_user, UF_user, REG_user, CEP_user ,REDE_user
| where REG !=REG_user AND REDE !=REDE_user
| table Account_Name
| rename Account_Name as "Siglas dos usúarios com acessos indevidos"
and I have this search 2:
index="br_activedirectory_microsoft" EventCode=4624 OR EventCode=4634 Account_Name=A* Account_Domain=AGBANESPA
| search NOT (Account_Name=$$ OR Account_Name=SYSTEM OR Account_Name=ANONYMOUS*)
| eval User=if(mvcount(Account_Name)>1, mvindex(Account_Name,1), mvindex(Account_Name, 0))
| eval User=lower(User)
| search NOT (User=*$$ OR User=system)
| lookup dnslookup clientip as Source_Network_Address OUTPUT clienthost
| transaction User maxevents=2 startswith="EventCode=4624" endswith="EventCode=4634" maxspan=-1
| eval Logofftime=_time+duration
| convert timeformat="%m/%d/%y %H:%M:%S" ctime(_time) as Logontime
| convert timeformat="%m/%d/%y %H:%M:%S" ctime(Logofftime) as Logofftime
| eval h=floor(duration/3600) | eval m=floor((duration-(h*3600))/60) | eval s=floor(duration-(h*3600)-(m*60)) | eval SessionDuration=h."h ".m."m ".s."s"
| dedup Logontime, Logofftime, SessionDuration, User, clienthost
| table Logontime, Logofftime, SessionDuration, User, clienthost
| sort User ComputerName
I would like to put the search "1" inside of the search "2" . I have tried doing this following the tutorials, but it's still not working, ---------------I have used the brackets [] and I was sure that the fields and the index were the same in both searches.
index="br_activedirectory_microsoft" EventCode=4624 OR EventCode=4634 Account_Name=A* Account_Domain=AGBANESPA
[ search index="br_activedirectory_microsoft" EventCode=4624 OR EventCode=4634 Account_Domain=AGBANESPA Account_Name=A*
| fields Account_Domain, Account_Name, Source_Network_Address
| dedup Account_Domain, Account_Name, Source_Network_Address
| lookup dnslookup clientip as Source_Network_Address OUTPUT clienthost
| eval user = substr(mvindex(Account_Name,1),2,4)
| eval hostname = substr(clienthost,3,4)
| where user !=hostname
| lookup new_hostname_lookup hostname as hostname OUTPUT ENDEREÇO, UF, REG, CEP , REDE
| lookup new_user_lookup user as user OUTPUT ENDEREÇO_user, UF_user, REG_user, CEP_user ,REDE_user
| where REG !=REG_user AND REDE !=REDE_user
| table Account_Name
| rename Account_Name as "Siglas dos usúarios com acessos indevidos"]
| search NOT (Account_Name=$$ OR Account_Name=SYSTEM OR Account_Name=ANONYMOUS*)
| eval User=if(mvcount(Account_Name)>1, mvindex(Account_Name,1), mvindex(Account_Name, 0))
| eval User=lower(User)
| search NOT (User=*$$ OR User=system)
| lookup dnslookup clientip as Source_Network_Address OUTPUT clienthost
| transaction User maxevents=2 startswith="EventCode=4624" endswith="EventCode=4634" maxspan=-1
| eval Logofftime=_time+duration
| convert timeformat="%m/%d/%y %H:%M:%S" ctime(_time) as Logontime
| convert timeformat="%m/%d/%y %H:%M:%S" ctime(Logofftime) as Logofftime
| eval h=floor(duration/3600) | eval m=floor((duration-(h*3600))/60) | eval s=floor(duration-(h*3600)-(m*60)) | eval SessionDuration=h."h ".m."m ".s."s"
| dedup Logontime, Logofftime, SessionDuration, User, clienthost
| table Logontime, Logofftime, SessionDuration, User, clienthost
| sort User ComputerName
Could you guys help making the right search?
Thanks for all.
... View more