Archive

How do I filter successful events since I am getting too many?

Communicator

When I login I get too many logon events. How do I filter successful events?
This is the query:-

index="wineventlog" | timechart count span=1m 

And I'm also trying to minimize event size by the add-on "windowseventsizereducer" help me to reduce the events.

0 Karma

SplunkTrust
SplunkTrust

Have a look at this

https://gosplunk.com/failed-versus-successful-logon-attempts/
https://answers.splunk.com/answers/127012/how-can-i-use-windows-events-to-monitor-logon-sessions.htm...

You should be able to use the searches in there to figure out the event code filter that you need to apply to your query.