https://community.splunk.com/t5/All-Apps-and-Add-ons/Clarification-on-eventtypes-when-using-the-Splunk-App-for/m-p/351073#M42396 <P>The eventtype here is not the field EventType in your data but Splunk's eventtype which in simple word is an alias to a base search or search term. Often for ease of reading and maintenance, we save commonly used search terms as eventtype instead of full search terms. ( see more about eventtype <A href="http://docs.splunk.com/Documentation/Splunk/6.6.1/Knowledge/Abouteventtypes">here</A>). </P> <P>To see what's the actual search being run when you run <CODE>eventtype=msad-failed-user-logons</CODE>, you can<BR /> 1. In the Job dropdown below the search bar, click on Inspect job. On that Job inspector page, look for value in attribute "normalizedSearch". That would give you expanded eventtype.<BR /> 2. Go to Settings-&gt;Event types and look for msad-failed-user-logons. You may have to change the app context or select All apps. The search string column will give you the underline search.</P> Wed, 20 Sep 2017 02:46:56 GMT somesoni2 2017-09-20T02:46:56Z https://community.splunk.com/t5/All-Apps-and-Add-ons/Clarification-on-eventtypes-when-using-the-Splunk-App-for/m-p/351072#M42395 <P>I have the Splunk Windows Infrastructure app installed and when I run this search below:</P> <PRE><CODE>eventtype=msad-failed-user-logons host="*" </CODE></PRE> <P>I get this returned below, but I'm not understanding how the search result is associated to eventtype=msad-failed-user-logons. The below shows EventType=0. What does msad-failed-user-logons mean and how come it doesn't show that in the search result?</P> <PRE><CODE>09/19/2017 03:42:13 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=xxxxx.domain.local TaskCategory=Credential Validation OpCode=Info RecordNumber=9555000 Keywords=Audit Failure Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: someuser1 Source Workstation: WORKSTATION Error Code: 0xC0000071 Collapse host=somehost source=WinEventLog:Security sourcetype=WinEventLog:Security </CODE></PRE> Tue, 19 Sep 2017 22:56:14 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/Clarification-on-eventtypes-when-using-the-Splunk-App-for/m-p/351072#M42395 bayman 2017-09-19T22:56:14Z https://community.splunk.com/t5/All-Apps-and-Add-ons/Clarification-on-eventtypes-when-using-the-Splunk-App-for/m-p/351073#M42396 <P>The eventtype here is not the field EventType in your data but Splunk's eventtype which in simple word is an alias to a base search or search term. Often for ease of reading and maintenance, we save commonly used search terms as eventtype instead of full search terms. ( see more about eventtype <A href="http://docs.splunk.com/Documentation/Splunk/6.6.1/Knowledge/Abouteventtypes">here</A>). </P> <P>To see what's the actual search being run when you run <CODE>eventtype=msad-failed-user-logons</CODE>, you can<BR /> 1. In the Job dropdown below the search bar, click on Inspect job. On that Job inspector page, look for value in attribute "normalizedSearch". That would give you expanded eventtype.<BR /> 2. Go to Settings-&gt;Event types and look for msad-failed-user-logons. You may have to change the app context or select All apps. The search string column will give you the underline search.</P> Wed, 20 Sep 2017 02:46:56 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/Clarification-on-eventtypes-when-using-the-Splunk-App-for/m-p/351073#M42396 somesoni2 2017-09-20T02:46:56Z https://community.splunk.com/t5/All-Apps-and-Add-ons/Clarification-on-eventtypes-when-using-the-Splunk-App-for/m-p/701268#M81144 <P>Hello&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/15147">@somesoni2</a>&nbsp;what a great idea to name it same way and using upper/lower case to make them different between eventtype &amp; EventType...&nbsp;<span class="lia-unicode-emoji" title=":face_without_mouth:">😶</span></P> Tue, 08 Oct 2024 08:17:21 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/Clarification-on-eventtypes-when-using-the-Splunk-App-for/m-p/701268#M81144 splunkreal 2024-10-08T08:17:21Z