I would like to assign src_ip to all events who is having same logon_id. but the src_ip coming only to EventCode=4624.
could you please let me know
Updated:
index=wineventlog EventCode=* Logon_ID!="0x0"
| eventstats values(src_ip) as src_ip by Logon_ID
| stats values(EventCode) as EventCode by Logon_ID src_ip
Hi, @90509
How about this?
I appreciate your help but I need want the table like
suppose if take one logon_ID for that Logon_ID having number of event codes like EventCode=4624 or 4625 0r 4672 or 4648, so in this scenario all the events codes having same Logon_Id but for EventCode=4624 only having src_ip. so need to fetch the results along with src_ip assigning the Events or EventCodes having same Logon_ID.
from according your query if there is no src_ip for any eventcodes which is not populating but I want all event codes who is having same Logon_ID will be assigned with same src_ip.
How Do I assign src_ip to all event codes those are having same Logon_ID?
I think it has nothing to do with the table display.
I updated the answer, but I'm not sure.
EventCode=4624 has both src_ip and logon_id?
yes but some events having only Logon_Id so for those need to assign src_ip as well
Do I need to perform any join operations
I have tried this but it's not working
index=wineventlog EventCode=*
| where Logon_ID !="0x0"
|stats count by src_ip,Logon_ID,EventCode
|join
[ search index="wineventlog" EventCode=4624
| where Logon_ID !="0x0"
|stats count by src_ip,Logon_ID,EventCode]