Hi everyone,
I have this search:
index=main sourcetype=WinEventLog:Security
| eval Logon_failur = case((EventCode==4625 AND (Status==0xC0000234 OR Status==0xC0000072 OR Status==0xC0000193 OR Sub_Status==0xC0000234 OR Sub_Status==0xC0000072 OR Sub_Status==0xC0000193)), "FailedToLogOn", EventCode==531, "AccountDisabled", EventCode==532, "UserAccountExpired", EventCode==539, "AccountLockOut" )
| bin _time span=1h
| stats count by Logon_failur
| where count>50
But I get this error:
Error in 'eval' command: The expression is malformed. Expected XOR.
The problem is that I cannot use XOR, because it is not what I'm trying to do. I need the first value and one of the succeeding values, and if both of them match, I will have "true".
How can I do this?
And second question, in your opinion, is the second part of the search starting from "bin" correct?
Thank you
try like this:
...| eval Logon_failur = case((EventCode=="4625" AND (Status=="0xC0000234" OR Status=="0xC0000072" OR Status=="0xC0000193" OR Sub_Status=="0xC0000234" OR Sub_Status=="0xC0000072" OR Sub_Status=="0xC0000193")), "FailedToLogOn", EventCode=="531", "AccountDisabled", EventCode=="532", "UserAccountExpired", EventCode==539, "AccountLockOut" )|...
try like this:
...| eval Logon_failur = case((EventCode=="4625" AND (Status=="0xC0000234" OR Status=="0xC0000072" OR Status=="0xC0000193" OR Sub_Status=="0xC0000234" OR Sub_Status=="0xC0000072" OR Sub_Status=="0xC0000193")), "FailedToLogOn", EventCode=="531", "AccountDisabled", EventCode=="532", "UserAccountExpired", EventCode==539, "AccountLockOut" )|...
Hi
Make sure that you don't have a line in your search that begin with OR.
Have you tried wrapping the values in your eval in quotes by chance?
No, can you show me a brief example of what you mean?
Uh yes, it' working like this:
index=main sourcetype=WinEventLog:Security | eval Logon_failur = case((EventCode=="4625" AND (Status=="0xC0000234" OR Status=="0xC0000072" OR Status=="0xC0000193" OR Sub_Status=="0xC0000234" OR Sub_Status=="0xC0000072" OR Sub_Status=="0xC0000193")), "FailedToLogOn", EventCode=="531", "AccountDisabled", EventCode=="532", "UserAccountExpired", EventCode==539, "AccountLockOut" ) | bin _time span=1h | stats count by Logon_failur | where count>50