I'm trying to find which user was last logged in on a PC, but my search doesn't show any results.
Can you pls help?
`windows_idx` sourcetype="wineventlog:security" (Account_Name="*NameofPC*") AND (EventCode=4768 OR EventCode=672)
If you know the last time that YOU logged in onto your pc, then you can use your own information to find the right format for the records. Let's say that you logged on about half an hour ago. Let's find your record.
earliest=-45m@m latest=-15m@m `windows_idx` sourcetype="wineventlog:security" "*NameofPC*" | head 10
That will find up to 10 records, between 45 and 15 minutes ago, that contain the name of your pc. if that shows no results, then you know your
windows_idx macro or your sourcetype or the name of the fields or your NameofPC is wrong. Experiment until you get them right. The results will also show you the correct name and values for EventCode. On my system it is EventID.
Use what you learn to modify your search until it works to bring back YOUR logon records.
After that, you can expand the timeframe to bring in more records for the last day or week or whatever.
Good luck with your hunt!
By the way, the most common issue is the spelling of the field names, specifically the case of the letters. Check that up front.