Splunk Enterprise 7.1.3, SCCM Current Branch with univesal forwarder configured to forward event logs and WMI.
I have written the following query, with the goal of identifying whenever the status of a SCCM service account changes. It is working, but I want it to only display the accounts identified in the query (it is currently showing all account activity on the server) and, I would like to show zeros if there has been no activity as opposed to not showing an entry. I tried fillnull and several other recommendations in other questions with undesirable results.
index="wineventlog" source="wineventlog:security" (AccountName="sccm.migrate" OR "configmgr.ssia" OR "configmgr.sql.ssrs" OR "configmgr.nac" NOT "SYSTEM") (AccountName!="-") earliest=-30h@h latest=now | stats count by AccountName | sort - count | rename AccountName to "User Name", count to "Number of Entries"
Thank you for your time.
Splunk search filter Inclusion is better than exclusion.
("sccm.migrate" OR "configmgr.ssia" OR "configmgr.sql.ssrs" OR "configmgr.nac") these are your account names? if so please mention the
Account_Name=<value1> OR Account_Name=<value2>.
(Account_Name!="-") is not require sine you are filtering the account names.
index="wineventlog" source="wineventlog:security" (Account_Name="sccm.migrate" OR Account_Name="configmgr.ssia" OR Account_Name="configmgr.sql.ssrs" OR Account_Name="configmgr.nac") | stats count by Account_Name | sort - count | rename Account_Name to "User Name", count to "Number of Entries"
Hope this helps.
This worked great, except the "-" and "SYSTEM" entries came back. If filtering by != is not the best prctice, I'd apreciatesome guidance on what is.