Hello,
I'm trying to create a list of users who use a particular software, lest say Notepad 7.6.3. I can easily find the PCs where software is installed:
index=my_software_list software_name=“Notepad 7.6.3” | table dns_name
Now I’m thinking to simply use Windows Security logs and find user who was connected to these PCs. Something like:
index=windows_security EventCode=4624 dns_name=??? | table user
The question is how can I put all PCs found in my previous search to this query? Should I use join left
? Should I export the results of the first search to a lookup and then perform inputllokup
in a separate one? Any other idea?
Thanks for the help.
Regards,
Alex.
Give this a try
index=windows_security EventCode=4624 [search index=my_software_list software_name="Notepad 7.6.3" |stats count by dns_name | table dns_name] | table user
Give this a try
index=windows_security EventCode=4624 [search index=my_software_list software_name="Notepad 7.6.3" |stats count by dns_name | table dns_name] | table user
Gorgeous!
Thanks for the help.