From what you have shown so far, if the EventCode is "True", the user is locked out and you set lockout to "Yes", but you haven't shown any events where this is the case. Is this because there are no events like this?

It does show locked-out users as well as unlocked users. Honestly, I know who is locked out and who is not. I wish it would be stated yes when it is instead of no for everyone. But the real issue I have is. How can I know what computer is locked out or if it is off-site? 

Splunk can only report what it finds in the logged events or something it "calculates" from the events. So, the question remains, what evidence do you have in your log events that show that the user is locked out or off-site? (To be fair, you haven't told us what "locked out" or "off-site" mean, let alone shown evidence of these states!)

I understand you're not able to help. Thanks for your help anyway.

It's very difficult to help with a search when we don't know what is being searched.  Something in your indexed data must be showing when an account is locked out.  Show us those events and we can help you craft a search for them.

Thanks so much for trying to help me. I agree with what you stated. Something is wrong. However. I did;

I posted what was in the what was in the search.

Then, I posted what was ingested from the logs. I'm not sure what more information you need from me.

What you posted with respect to the logs was a table of value for fields (presumably derived from your events). What would be more useful is the raw events e.g. the _raw field for the events you are trying to use to determine which device(s) the user(s) is(are) locked out from. If this evidence is not in your raw event data, it is highly unlikely that Splunk can help you find it. Having said that, there may be a sequence or possibly an incomplete sequence of events that indicate that a user failed to connect. For example, you may have evidence in your logs of connections and failed log in attempts on those sessions, or even just connection attempts. We have no idea until you share what information you have.

Thanks for the information and explaining again what information you wanted. Here is the raw data you requested:

Thanks for sharing the events.  That helps.  Am I correct in interpreting them to say a lock event has just the headings with empty values?  If so, then the query becomes one of looking for said empty values.  One problem, of course, is that the empty values convey no information so you won't know which workstation is being used.

I agree, but how can I fix this?

Do you have any other sources of information, e.g. other logs, connection logs, meta-data about the "empty" logs, when the events happen, where were they originally logged. Can you work your way back up the chain to find where the event was generated?

Thanks, I will work on that information.

So you don't have any events for the locked accounts?

The Statistics show locked and unlocked accounts, but the raw data does not show the event codes 4740 for yes and no.

| eval lockout=if(EventCode =True,"Yes","No")

Can you share how the field "EventCode" is evaluated.  You shared your search and the results from your search.  What would be helpful is an anonymized raw event which feeds into your search.

Any event which indicates an account is in lock out status may not show where the authentication attempt came from.  This is why knowing the raw event is helpful to outsiders providing feedback.  If you are really trying to discover the root of account lock outs then you need a search for failed log in attempts.  The 2 data sets might come from different log entries.

As I looked into the information you asked me for, the eventcode is supposed to lock out event code 4740, and it stated yes for lockout if it locks out. And No, if it is not. But in the raw data. It seems like my lockout question, doesn't exist.

Thank for the information

Thanks. That was the search not the events. Do you have any evidence in logs that you have ingested into Splunk that the user is getting locked out?