Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Why is this search for RDP failed logins no longer returning results with error "No matching fields exist" after upgrading to Splunk 6.2.6?

keithcoyle
New Member
‎10-20-2015 05:11 AM

Hey everyone

We updated to Splunk 6.2.6 and now some of our searches don't work anymore, and I was wondering if someone could look at the search string I have and see why it is not pulling up all the failed logins when someone is using RDP. Every time I try to run this, I get an error back that says "NO matching fields exist". I didn't write the search string, so hoping there is something wrong with it. I appreciate any help. What am I missing?

source="WinEventLog:Security" ( EventCode=529 Logon_Type=10 ) OR ( EventCode=4625 Logon_Type=10 ) | eval User = if(isnull(Account_Name), User_Name, mvindex(Account_Name,1)) | timechart count by User
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

woodcock
Esteemed Legend
‎10-20-2015 07:12 AM

Run this search:

index=* | where isnotnull(EventCode) | stats count by source sourcetype index

This should show you what is maybe a little different than you are specifying (expecting). Then adjust your searches accordingly.
Once you are searching your events, make sure each field exists: EventCode, Login_Type, Account_Name, User_Name, etc.

We have an open case with Splunk right now where our automatic field extractions are not working in 6.2.* and this may be your problem, too.

Also, be aware that Splunk v6.2* did deliberately break something VERY IMPORTANT for your source which could be effecting you adversely:

https://answers.splunk.com/answers/313829/wineventlogsecurity-default-for-evt-resolve-ad-obj.html

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

woodcock
Esteemed Legend
‎10-20-2015 07:12 AM

Run this search:

index=* | where isnotnull(EventCode) | stats count by source sourcetype index

This should show you what is maybe a little different than you are specifying (expecting). Then adjust your searches accordingly.
Once you are searching your events, make sure each field exists: EventCode, Login_Type, Account_Name, User_Name, etc.

We have an open case with Splunk right now where our automatic field extractions are not working in 6.2.* and this may be your problem, too.

Also, be aware that Splunk v6.2* did deliberately break something VERY IMPORTANT for your source which could be effecting you adversely:

https://answers.splunk.com/answers/313829/wineventlogsecurity-default-for-evt-resolve-ad-obj.html

0 Karma
Reply
Solved! Jump to solution

keithcoyle
New Member
‎10-20-2015 07:19 AM

Wow I see lots of stuff LOL, just need to sort it all out. It is taking a long time to pull everything but I am guessing that is because it is pulling all the sourcetype data

0 Karma
Reply
Solved! Jump to solution

woodcock
Esteemed Legend
‎10-20-2015 07:32 AM

Instead of using source="WinEventLog:Security" try sourcetype="WinEventLog:Security"

0 Karma
Reply
Solved! Jump to solution

keithcoyle
New Member
‎10-20-2015 07:52 AM

I tried the sourcetype and had to go back to in the last 7 days to get results but it did give me the date and number of events. I wanted a chart to show the user which I thought I had in the search string but it didn't pipe that part into what I wanted.

0 Karma
Reply
Solved! Jump to solution

woodcock
Esteemed Legend
‎10-20-2015 07:33 AM

You could also try these variations: source::WinEventLog:Security and sourcetype::WinEventLog:Security

0 Karma
Reply
Solved! Jump to solution

keithcoyle
New Member
‎10-20-2015 08:06 AM

I played around with it and got it to show what I wanted. Thanks for the insight

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Build the Future of Agentic AI: Join the Splunk Agentic Ops Hackathon

AI is changing how teams investigate incidents, detect threats, automate workflows, and build intelligent ...

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Splunk Community Badges!

  Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...