topic Re: Windows Failed Login Top Ten count in Getting Data In

Windows Failed Login Top Ten count

aberdamy — Mon, 28 Sep 2020 16:21:37 GMT

I am trying to get the top 10 Failed Login count by User. The problem is that Windows 2008 uses "Account_Name" and Windows 2003 uses "User_Name" so I've used eval to combine the two fields but I am also using rex to go to the second instance of the Account_Name in the Windows 2008 event. The rex expression doesn't seem to work when I throw eval in there. Below is my search string, any suggestions?

Re: Windows Failed Login Top Ten count

somesoni2 — Mon, 28 Sep 2020 16:21:43 GMT

Does the rex work if you don't use eval? If yes then you can try moving eval after rex.

Another option you can try is to that instead of eval USER, use '|rename User_Name as Account_Name | ...| stats count by Account_Name'.

Re: Windows Failed Login Top Ten count

aberdamy — Mon, 28 Sep 2020 16:21:46 GMT

thank you for your reply, unfortunately putting |eval after rex did not work and using the rename function did not produce any results:

Re: Windows Failed Login Top Ten count

aberdamy — Mon, 28 Sep 2020 16:21:49 GMT

Sorry I miss-typed that last one, the correct search string is below. I get results however it is missing the "4625" events. Conversely, if I rename as User_Name it does not include the "529" events

Re: Windows Failed Login Top Ten count

aberdamy — Mon, 28 Sep 2020 16:22:11 GMT

Solution:

Re: Windows Failed Login Top Ten count

somesoni2 — Fri, 11 Apr 2014 14:19:04 GMT

So max=99 in rex command did it?

Re: Windows Failed Login Top Ten count

aberdamy — Fri, 11 Apr 2014 14:51:31 GMT

yes, appears to have worked. Of course, as you can see the rex has been changed as well