topic Re: Why is this search for RDP failed logins no longer returning results with error "No matching fields exist" after upgrading to Splunk 6.2.6? in Splunk Search

Why is this search for RDP failed logins no longer returning results with error "No matching fields exist" after upgrading to Splunk 6.2.6?

keithcoyle — Tue, 20 Oct 2015 12:11:59 GMT

Hey everyone

We updated to Splunk 6.2.6 and now some of our searches don't work anymore, and I was wondering if someone could look at the search string I have and see why it is not pulling up all the failed logins when someone is using RDP. Every time I try to run this, I get an error back that says "NO matching fields exist". I didn't write the search string, so hoping there is something wrong with it. I appreciate any help. What am I missing?

source="WinEventLog:Security" ( EventCode=529 Logon_Type=10 ) OR ( EventCode=4625 Logon_Type=10 ) | eval User = if(isnull(Account_Name), User_Name, mvindex(Account_Name,1)) | timechart count by User

Re: Why is this search for RDP failed logins no longer returning results with error "No matching fields exist" after upgrading to Splunk 6.2.6?

woodcock — Tue, 29 Sep 2020 07:35:57 GMT

Run this search:

index=* | where isnotnull(EventCode) | stats count by source sourcetype index

This should show you what is maybe a little different than you are specifying (expecting). Then adjust your searches accordingly.
Once you are searching your events, make sure each field exists: EventCode, Login_Type, Account_Name, User_Name, etc.

We have an open case with Splunk right now where our automatic field extractions are not working in 6.2.* and this may be your problem, too.

Also, be aware that Splunk v6.2* did deliberately break something VERY IMPORTANT for your source which could be effecting you adversely:

https://answers.splunk.com/answers/313829/wineventlogsecurity-default-for-evt-resolve-ad-obj.html

Re: Why is this search for RDP failed logins no longer returning results with error "No matching fields exist" after upgrading to Splunk 6.2.6?

keithcoyle — Tue, 20 Oct 2015 14:19:08 GMT

Wow I see lots of stuff LOL, just need to sort it all out. It is taking a long time to pull everything but I am guessing that is because it is pulling all the sourcetype data

Re: Why is this search for RDP failed logins no longer returning results with error "No matching fields exist" after upgrading to Splunk 6.2.6?

woodcock — Tue, 20 Oct 2015 14:32:00 GMT

Instead of using source="WinEventLog:Security" try sourcetype="WinEventLog:Security"

Re: Why is this search for RDP failed logins no longer returning results with error "No matching fields exist" after upgrading to Splunk 6.2.6?

woodcock — Tue, 20 Oct 2015 14:33:08 GMT

You could also try these variations: source::WinEventLog:Security and sourcetype::WinEventLog:Security

Re: Why is this search for RDP failed logins no longer returning results with error "No matching fields exist" after upgrading to Splunk 6.2.6?

keithcoyle — Tue, 20 Oct 2015 14:52:07 GMT

I tried the sourcetype and had to go back to in the last 7 days to get results but it did give me the date and number of events. I wanted a chart to show the user which I thought I had in the search string but it didn't pipe that part into what I wanted.

Re: Why is this search for RDP failed logins no longer returning results with error "No matching fields exist" after upgrading to Splunk 6.2.6?

keithcoyle — Tue, 20 Oct 2015 15:06:10 GMT

I played around with it and got it to show what I wanted. Thanks for the insight