Hi all,
I have a search like this:
(index=* OR index=_) (source="WMI:WinEventLog:Security" OR source="WinEventLog:Security") Type= NOT (EventCode=4719 OR EventCode=4624 OR EventCode=4672 OR EventCode=4627 OR EventCode=4634 OR EventCode=4648 OR EventCode=4688 OR EventCode=4616 OR EventCode=4826 OR EventCode=4957 OR EventCode=4776 OR EventCode=1100 OR EventCode=4902 OR EventCode=4647 OR EventCode=1101 OR EventCode=4696 OR EventCode=4905 OR EventCode=4904) | eval EventCode=if(EventCode="4801","Deblocat4801",EventCode) | eval EventCode=if(EventCode="4800","Blocat4800",EventCode) | eval EventCode=if(EventCode="4625","ParolaGresita4625",EventCode) | eval Security_ID=if(Security_ID="HUB\Bogdan.NICOLESCU","Bogdan.Nicolescu",Security_ID) | eval Security_ID=if(Security_ID="S-1-5-21-2194086089-2732682161-3381787425-7759","Bogdan.Nicolescu.7759",Security_ID) | eval Security_ID=if(Security_ID="HUB\bogdan.nicolescu","Bogdan.Nicolescu.2",Security_ID) | rename EventCode AS RootObject.EventCode Security_ID AS RootObject.Security_ID | fields "_time" "host" "source" "sourcetype" "RootObject.EventCode" "RootObject.Security_ID" | bucket _time span=1s | stats dedup_splitvals=t dc(RootObject.EventCode) AS "Distinct Count of EventCode" by _time, RootObject.EventCode, RootObject.Security_ID | sort limit=100000 _time | rename RootObject.EventCode AS EventCode RootObject.Security_ID AS Security_ID | fillnull "Distinct Count of EventCode" | fields _time, EventCode, Security_ID, "Distinct Count of EventCode"
My question is, how can i include in search only:
Security_ID="Bogdan.Nicolescu" Security_ID="Bogdan.Nicolescu.2" Security_ID="Bogdan.Nicolescu.7759"
So i can get rid of exludes of:
NOT (EventCode=4719 OR EventCode=4624 OR EventCode=4672 OR EventCode=4627 OR EventCode=4634 OR EventCode=4648 OR EventCode=4688 OR EventCode=4616 OR EventCode=4826 OR EventCode=4957 OR EventCode=4776 OR EventCode=1100 OR EventCode=4902 OR EventCode=4647 OR EventCode=1101 OR EventCode=4696 OR EventCode=4905 OR EventCode=4904)
Thank you.
You can write your main search as
(index= OR index=_) (source="WMI:WinEventLog:Security" OR source="WinEventLog:Security") Type=* (Security_ID="HUB\bogdan.nicolescu" OR Security_ID="HUB\bogdan.nicolescu" OR Security_ID="S-1-5-21-2194086089-2732682161-3381787425-7759")| eval Security_ID=if(Security_ID="S-1-5-21-2194086089-2732682161-3381787425-7759","Bogdan.Nicolescu.7759",Security_ID) | eval Security_ID=if(Security_ID="HUB\bogdan.nicolescu","Bogdan.Nicolescu.2",Security_ID) | rename EventCode AS RootObject.EventCode Security_ID AS RootObject.Security_ID | fields "_time" "host" "source" "sourcetype" "RootObject.EventCode" "RootObject.Security_ID" | bucket _time span=1s | stats dedup_splitvals=t dc(RootObject.EventCode) AS "Distinct Count of EventCode" by _time, RootObject.EventCode, RootObject.Security_ID | sort limit=100000 _time | rename RootObject.EventCode AS EventCode RootObject.Security_ID AS Security_ID | fillnull "Distinct Count of EventCode" | fields _time, EventCode, Security_ID, "Distinct Count of EventCode"
You can write your main search as
(index= OR index=_) (source="WMI:WinEventLog:Security" OR source="WinEventLog:Security") Type=* (Security_ID="HUB\bogdan.nicolescu" OR Security_ID="HUB\bogdan.nicolescu" OR Security_ID="S-1-5-21-2194086089-2732682161-3381787425-7759")| eval Security_ID=if(Security_ID="S-1-5-21-2194086089-2732682161-3381787425-7759","Bogdan.Nicolescu.7759",Security_ID) | eval Security_ID=if(Security_ID="HUB\bogdan.nicolescu","Bogdan.Nicolescu.2",Security_ID) | rename EventCode AS RootObject.EventCode Security_ID AS RootObject.Security_ID | fields "_time" "host" "source" "sourcetype" "RootObject.EventCode" "RootObject.Security_ID" | bucket _time span=1s | stats dedup_splitvals=t dc(RootObject.EventCode) AS "Distinct Count of EventCode" by _time, RootObject.EventCode, RootObject.Security_ID | sort limit=100000 _time | rename RootObject.EventCode AS EventCode RootObject.Security_ID AS Security_ID | fillnull "Distinct Count of EventCode" | fields _time, EventCode, Security_ID, "Distinct Count of EventCode"
Hi Vijeta,
Yes! Thank you very much. Worked like a charm.
Bogdan.