Hi,
I'm searching for Windows Authentication logs and want to table activity of a user.
My Search query is :
index="win*" tag=authentication | stats values(src), values(dest), values(LogonType) by user | ....
I get Results like this.
But i am looking for some
Try like this
index="win*" tag=authentication src=* dest=* LogonType=* | stats values(src), values(dest), values(LogonType) by user
have you tried this?
| transaction user | table user, src, dest, LogonType | ...
and if you don't want events with no dest,
you should add
dest=*
to your search query.
index="win*" tag=authentication | stats values(user) by source,dest,LogonType | ....
Thank you pradeep for your response.
But this search does not give the expected result. I do not want values(user) . I want unique value of User.