Getting Data In

How Do I assign src_ip to all event codes those are having same Logon_ID?

90509
Engager

I would like to assign src_ip to all events who is having same logon_id. but the src_ip coming only to EventCode=4624.
could you please let me know

Tags (1)
0 Karma

to4kawa
Ultra Champion

Updated:

index=wineventlog EventCode=* Logon_ID!="0x0"
| eventstats values(src_ip) as src_ip by Logon_ID
| stats values(EventCode) as EventCode by Logon_ID src_ip

Hi, @90509
How about this?

0 Karma

90509
Engager

I appreciate your help but I need want the table like

suppose if take one logon_ID for that Logon_ID having number of event codes like EventCode=4624 or 4625 0r 4672 or 4648, so in this scenario all the events codes having same Logon_Id but for EventCode=4624 only having src_ip. so need to fetch the results along with src_ip assigning the Events or EventCodes having same Logon_ID.

0 Karma

90509
Engager

from according your query if there is no src_ip for any eventcodes which is not populating but I want all event codes who is having same Logon_ID will be assigned with same src_ip.

0 Karma

to4kawa
Ultra Champion

How Do I assign src_ip to all event codes those are having same Logon_ID?

I think it has nothing to do with the table display.
I updated the answer, but I'm not sure.

0 Karma

to4kawa
Ultra Champion

EventCode=4624 has both src_ip and logon_id?

0 Karma

90509
Engager

yes but some events having only Logon_Id so for those need to assign src_ip as well

0 Karma

90509
Engager

Do I need to perform any join operations

I have tried this but it's not working
index=wineventlog EventCode=*
| where Logon_ID !="0x0"
|stats count by src_ip,Logon_ID,EventCode
|join
[ search index="wineventlog" EventCode=4624
| where Logon_ID !="0x0"
|stats count by src_ip,Logon_ID,EventCode]

0 Karma