Hey everyone
We updated to Splunk 6.2.6 and now some of our searches don't work anymore, and I was wondering if someone could look at the search string I have and see why it is not pulling up all the failed logins when someone is using RDP. Every time I try to run this, I get an error back that says "NO matching fields exist". I didn't write the search string, so hoping there is something wrong with it. I appreciate any help. What am I missing?
source="WinEventLog:Security" ( EventCode=529 Logon_Type=10 ) OR ( EventCode=4625 Logon_Type=10 ) | eval User = if(isnull(Account_Name), User_Name, mvindex(Account_Name,1)) | timechart count by User
Run this search:
index=* | where isnotnull(EventCode) | stats count by source sourcetype index
This should show you what is maybe a little different than you are specifying (expecting). Then adjust your searches accordingly.
Once you are searching your events, make sure each field exists: EventCode, Login_Type, Account_Name, User_Name, etc.
We have an open case with Splunk right now where our automatic field extractions are not working in 6.2.* and this may be your problem, too.
Also, be aware that Splunk v6.2* did deliberately break something VERY IMPORTANT for your source which could be effecting you adversely:
https://answers.splunk.com/answers/313829/wineventlogsecurity-default-for-evt-resolve-ad-obj.html
Run this search:
index=* | where isnotnull(EventCode) | stats count by source sourcetype index
This should show you what is maybe a little different than you are specifying (expecting). Then adjust your searches accordingly.
Once you are searching your events, make sure each field exists: EventCode, Login_Type, Account_Name, User_Name, etc.
We have an open case with Splunk right now where our automatic field extractions are not working in 6.2.* and this may be your problem, too.
Also, be aware that Splunk v6.2* did deliberately break something VERY IMPORTANT for your source which could be effecting you adversely:
https://answers.splunk.com/answers/313829/wineventlogsecurity-default-for-evt-resolve-ad-obj.html
Wow I see lots of stuff LOL, just need to sort it all out. It is taking a long time to pull everything but I am guessing that is because it is pulling all the sourcetype data
Instead of using source="WinEventLog:Security"
try sourcetype="WinEventLog:Security"
I tried the sourcetype and had to go back to in the last 7 days to get results but it did give me the date and number of events. I wanted a chart to show the user which I thought I had in the search string but it didn't pipe that part into what I wanted.
You could also try these variations: source::WinEventLog:Security
and sourcetype::WinEventLog:Security
I played around with it and got it to show what I wanted. Thanks for the insight