Splunk Search

How to filter search results from query

kodyrubida
Engager

Hi, I am looking to grab all windows events of successful NTLM logins without using Kerberos. Here is my query so far.  

 

"eventcode=4776" "Error Code: 0x0" ntlm

 

I think this is working as of now, however it brings results including the value of Kerberos, I tried using the value, Not "Kerberos" , however it completely broke my search result.

 

I am looking to grab only the value of "Account Name:" and "Source Network Address:" then export it to a csv file every week. 

 

Is this something I can do with Splunk? If so any help would be appreciated. Thanks.

Labels (1)
0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

Try NOT as the capitalise version is a recognised word (similarly for OR and AND)

Get Updates on the Splunk Community!

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...