I keep getting an error message when I am attempting to this command
* EventCode=* user=* WinEventLog:Application
| eval src_nt_host=coalesce(src_nt_host,host)
| eval lockout=if(EventCode==644 OR EventCode==4740 OR EventCode==4624,"Yes","No")
| stats latest(_time) as time, latest(src_nt_host) as host, latest(lockout) as lockedout values(dest_nt_domain) as dest_nt_domain count(eval(EventCode=4625 OR EventCode=4771)) as count values(Source_Network_Address) as Source_Network_Address by user
| eval time=strftime(time,"%c")
| rename user to "User Name", Source_Network_Address to "IP Address", count to "Number of Failures"
| table dest_nt_domain "User Name" host lockedout time "IP Address" "Number of Failures"
I need to pull the application that are running in the event viewer. I was able to pull them in a different location, but I want it to say more information about with the user information.
I also try this for my search: source="WinEventLog:Application" OR WinEventLog:Security EventCode=* user=*
Received this for a message: No results found. Try expanding the time range.
I also try this for my search: source="WinEventLog:Application" OR WinEventLog:Security EventCode=* user=*
Received this for a message: No results found. Try expanding the time range.
Hi @jovnice ,
good for you, see next time!
Ciao and happy splunking
Giuseppe
P.S.: Karma Points are appreciated by all the contributors 😉
Hi @jovnice ,
I hint to add index=wineventlog because gives you better performnces that the following solution!
anyway, if you don't want this olution, you could add the wineventlog index to the default search path (in [Settings > Roles> <your_role> > Indexes].
Ciao.
Giuseppe
@jovnice - Please specify index. If you don't know the index, run this search for a longer time range, something like the last 7 days or so.
index=* source="*WinEventLog:Application"
Try this search and see if you see any results. Once you see any results then you can add more search criteria.
I hope this helps!!! Kindly upvote if this helps!!
Please copy-paste the search query I gave.
Also, put your search query that you are trying to run here, so I can check what's wrong.
Hi @jovnice,
WinEventLog:Application should be the source field and not a string as you are using.
Anyway, what's the error you're receiving?
Ciao.
Giuseppe
index=<index-name> source="WinEventLog:Application" EventCode=* user=*
Also, please mention the specific error that you are getting, so we can help!!