topic Re: Need assistance with a command for application. in Getting Data In

Need assistance with a command for application.

jovnice — Thu, 22 Feb 2024 07:27:07 GMT

I keep getting an error message when I am attempting to this command

* EventCode=* user=* WinEventLog:Application | eval src_nt_host=coalesce(src_nt_host,host) | eval lockout=if(EventCode==644 OR EventCode==4740 OR EventCode==4624,"Yes","No") | stats latest(_time) as time, latest(src_nt_host) as host, latest(lockout) as lockedout values(dest_nt_domain) as dest_nt_domain count(eval(EventCode=4625 OR EventCode=4771)) as count values(Source_Network_Address) as Source_Network_Address by user | eval time=strftime(time,"%c") | rename user to "User Name", Source_Network_Address to "IP Address", count to "Number of Failures" | table dest_nt_domain "User Name" host lockedout time "IP Address" "Number of Failures"

I need to pull the application that are running in the event viewer. I was able to pull them in a different location, but I want it to say more information about with the user information.

Re: Need assistance with a command for application.

gcusello — Wed, 21 Feb 2024 17:59:23 GMT

Hi @jovnice,

WinEventLog:Application should be the source field and not a string as you are using.

Anyway, what's the error you're receiving?

Ciao.

Giuseppe

Re: Need assistance with a command for application.

VatsalJagani — Wed, 21 Feb 2024 18:50:21 GMT

index=<index-name> source="WinEventLog:Application" EventCode=* user=*

Also, please mention the specific error that you are getting, so we can help!!

Re: Need assistance with a command for application.

jovnice — Wed, 21 Feb 2024 19:14:06 GMT

Error in 'search' command: Unable to parse the search: Comparator '=' has an invalid term on the left hand side: "index-name">source.

The search job has failed due to an error. You may be able view the job in the

Re: Need assistance with a command for application.

jovnice — Wed, 21 Feb 2024 19:27:19 GMT

I also try this for my search: source="WinEventLog:Application" OR WinEventLog:Security EventCode=* user=*

Received this for a message: No results found. Try expanding the time range.

Re: Need assistance with a command for application.

VatsalJagani — Thu, 22 Feb 2024 06:34:34 GMT

@jovnice - Please specify index. If you don't know the index, run this search for a longer time range, something like the last 7 days or so.

index=* source="*WinEventLog:Application"

Try this search and see if you see any results. Once you see any results then you can add more search criteria.

I hope this helps!!! Kindly upvote if this helps!!

Re: Need assistance with a command for application.

gcusello — Thu, 22 Feb 2024 07:39:15 GMT

Hi @jovnice ,

I hint to add index=wineventlog because gives you better performnces that the following solution!

anyway, if you don't want this olution, you could add the wineventlog index to the default search path (in [Settings > Roles> <your_role> > Indexes].

Ciao.

Giuseppe

Re: Need assistance with a command for application.

VatsalJagani — Thu, 22 Feb 2024 08:52:31 GMT

Please copy-paste the search query I gave.

Also, put your search query that you are trying to run here, so I can check what's wrong.

Re: Need assistance with a command for application.

gcusello — Thu, 22 Feb 2024 15:00:01 GMT

Hi @jovnice ,

good for you, see next time!

Ciao and happy splunking

Giuseppe

P.S.: Karma Points are appreciated by all the contributors 😉