HI @Esmeralda1 -

Here's what you need to figure out.

1) What index(es) is the data you are looking for in?
2) What is an example of the name of the domain controller?
2) What is an example of an IP that is in the domain controller?
3) What is an example of an account name?

Given the above information, you can search that index to find out what, exactly, the records look like that you are looking for.

Let's suppose that the index is called "foo", that the records have sourcetype "foo1", the domain controller is "barNone", one IP is 1.2.3.4, and one account name is "Billy17"

Set the time for the last 24 hours, and put this in the search bar...

index="foo" sourcetype="foo1" ( "barNone" OR "1.2.3.4"  ) | head 50 

That will give you the most recent 50 records in that index that have either barNone or IP 1.2.3.4 or both.

If there are a bunch of one and none of the others, then just open another search tab and copy the search, but eliminate the one that had too many results.

After that, you 're going to want to figure out what information on the IP record will tell you which domain controller it belongs to.

Next, do the same for billy17, and see what his IP might be. let's assume the user record is in the same index but a different sourcetype...

index="foo" sourcetype="foo2" "billy17" | head 50 

That will show you what those records look like.

Once you have the format of each of the records, then come back, open up a new question, and put a NON-CONFIDENTIAL sample of each kind of event in your question. Then we can help you put together a query that will give you what you need.