Splunk Search
Highlighted

How to edit my search to limit results to a specific user?

Explorer

Hi i'm working w/ the below search and getting good results for all currently logged in user accounts but would anyone know how to search for a specific account? For example Tom Smith or tsmith?

Thanks...

sourcetype="WinEventLog:Security" OR (EventCode=540 OR EventCode=4624) NOT (user=*$ OR user="ANONYMOUS LOGON" OR user=SYSTEM OR user=services OR user=Unknown) 
 | stats dc(src_ip) as Number_logged_hosts, values(src_ip) as "Logins IPs", values(dvc) as "Domains Controller", count by user, ComputerName
 | rename user as Users, count as Total_time_logged_in 
Tags (2)
0 Karma
Highlighted

Re: How to edit my search to limit results to a specific user?

SplunkTrust
SplunkTrust

change

 NOT (user=*$ OR user="ANONYMOUS LOGON" OR user=SYSTEM OR user=services OR user=Unknown) 

to

user=tsmith

assuming that's the format of your user names in your logs.

Highlighted

Re: How to edit my search to limit results to a specific user?

SplunkTrust
SplunkTrust

You may need to use wild-cards. Best option would be to check how user name is available in your logs.

Highlighted

Re: How to edit my search to limit results to a specific user?

Explorer

I thought of that i'll try it...thanks!!

0 Karma