Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

count eval, error using AND

nataliamur
New Member
‎12-03-2019 03:44 AM

Hello, I'd like to count events from Windows Logs in my search that include both EventCode="4624" as well as Account_Name!=ssh*, so that it would count events that have event code=4624 and doesn't have an account name starting with ssh.
I'm trying with this:
| stats count(eval(EventCode="4624") AND Account_Name!-=ssh*) as Logged_On
but an error shows up telling "The eval expression for dynamic field 'eval(EventCode="4624") AND eval(Nazwa_konta!=ssh*)' is invalid. Error='The operator at ') AND eval(Nazwa_konta!=ssh*' is invalid.'."
Any ideas how to make it fix?

0 Karma
Reply

kamlesh_vaghela
SplunkTrust
SplunkTrust
‎12-03-2019 04:19 AM

@nataliamur

Can you please try this?

YOUR_SEARCH | stats count(eval(EventCode="4624" AND NOT like(Account_Name,"ssh%"))) as Logged_On

You can change field name and comparison as per your requirement.

Sample:

| makeresults 
| eval EventCode="4624",Account_Name="ssh" 
| stats count(eval(EventCode="4624" AND NOT like(Account_Name,"ssh%"))) as Logged_On

Thanks

0 Karma
Reply

nataliamur
New Member
‎12-09-2019 02:12 PM

Hi,

maybe I should give you a wider code of what I'm trying to do:

source="WinEventLog:Security"
| stats count(eval(EventCode="4624" AND NOT like(Account_Name,"ssh%")))) as Logged_ON count(eval(EventCode="4625")) as Fail by ComputerName
| where Logged_On>0 AND Fail >2

So I'm trying to put in "Logged_On" these events that have EventCode=4624 and don't have an account name: ssh.

I've tried what you suggested and didn't work.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Mile High Learning with Splunk University, Denver, Colorado

If Denver is known for its mile-high elevation, Splunk University is about to raise the bar on technical ...

IT Service Intelligence 5.0 Series: Your Guide to the June Launch

We are excited to announce the June release of Splunk IT Service Intelligence (ITSI) 5.0. This update ...

Agent Mode Engaged! Enchaining Agentic Operations with Splunk AI Assistant 2.0

    Are you ready to transform how your team handles complex data requests? We invite you to our upcoming ...