Solved: Why is this search for RDP failed logins no longer...

keithcoyle · ‎10-20-2015

Hey everyone

We updated to Splunk 6.2.6 and now some of our searches don't work anymore, and I was wondering if someone could look at the search string I have and see why it is not pulling up all the failed logins when someone is using RDP. Every time I try to run this, I get an error back that says "NO matching fields exist". I didn't write the search string, so hoping there is something wrong with it. I appreciate any help. What am I missing?

source="WinEventLog:Security" ( EventCode=529 Logon_Type=10 ) OR ( EventCode=4625 Logon_Type=10 ) | eval User = if(isnull(Account_Name), User_Name, mvindex(Account_Name,1)) | timechart count by User

woodcock · ‎10-20-2015

Run this search:

index=* | where isnotnull(EventCode) | stats count by source sourcetype index

This should show you what is maybe a little different than you are specifying (expecting). Then adjust your searches accordingly.
Once you are searching your events, make sure each field exists: EventCode, Login_Type, Account_Name, User_Name, etc.

We have an open case with Splunk right now where our automatic field extractions are not working in 6.2.* and this may be your problem, too.

Also, be aware that Splunk v6.2* did deliberately break something VERY IMPORTANT for your source which could be effecting you adversely:

https://answers.splunk.com/answers/313829/wineventlogsecurity-default-for-evt-resolve-ad-obj.html

View solution in original post

woodcock · ‎10-20-2015

Run this search:

index=* | where isnotnull(EventCode) | stats count by source sourcetype index

This should show you what is maybe a little different than you are specifying (expecting). Then adjust your searches accordingly.
Once you are searching your events, make sure each field exists: EventCode, Login_Type, Account_Name, User_Name, etc.

We have an open case with Splunk right now where our automatic field extractions are not working in 6.2.* and this may be your problem, too.

Also, be aware that Splunk v6.2* did deliberately break something VERY IMPORTANT for your source which could be effecting you adversely:

https://answers.splunk.com/answers/313829/wineventlogsecurity-default-for-evt-resolve-ad-obj.html

keithcoyle · ‎10-20-2015

Wow I see lots of stuff LOL, just need to sort it all out. It is taking a long time to pull everything but I am guessing that is because it is pulling all the sourcetype data

woodcock · ‎10-20-2015

Instead of using source="WinEventLog:Security" try sourcetype="WinEventLog:Security"

keithcoyle · ‎10-20-2015

I tried the sourcetype and had to go back to in the last 7 days to get results but it did give me the date and number of events. I wanted a chart to show the user which I thought I had in the search string but it didn't pipe that part into what I wanted.

woodcock · ‎10-20-2015

You could also try these variations: source::WinEventLog:Security and sourcetype::WinEventLog:Security

keithcoyle · ‎10-20-2015

I played around with it and got it to show what I wanted. Thanks for the insight

Why is this search for RDP failed logins no longer returning results with error "No matching fields exist" after upgrading to Splunk 6.2.6?

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!