Splunk Search

count eval, error using AND

nataliamur
New Member

Hello, I'd like to count events from Windows Logs in my search that include both EventCode="4624" as well as Account_Name!=ssh*, so that it would count events that have event code=4624 and doesn't have an account name starting with ssh.
I'm trying with this:
| stats count(eval(EventCode="4624") AND Account_Name!-=ssh*) as Logged_On
but an error shows up telling "The eval expression for dynamic field 'eval(EventCode="4624") AND eval(Nazwa_konta!=ssh*)' is invalid. Error='The operator at ') AND eval(Nazwa_konta!=ssh*' is invalid.'."
Any ideas how to make it fix?

0 Karma

kamlesh_vaghela
SplunkTrust
SplunkTrust

@nataliamur

Can you please try this?

YOUR_SEARCH | stats count(eval(EventCode="4624" AND NOT like(Account_Name,"ssh%"))) as Logged_On

You can change field name and comparison as per your requirement.

Sample:

| makeresults 
| eval EventCode="4624",Account_Name="ssh" 
| stats count(eval(EventCode="4624" AND NOT like(Account_Name,"ssh%"))) as Logged_On

Thanks

0 Karma

nataliamur
New Member

Hi,

maybe I should give you a wider code of what I'm trying to do:

source="WinEventLog:Security"
| stats count(eval(EventCode="4624" AND NOT like(Account_Name,"ssh%")))) as Logged_ON count(eval(EventCode="4625")) as Fail by ComputerName
| where Logged_On>0 AND Fail >2

So I'm trying to put in "Logged_On" these events that have EventCode=4624 and don't have an account name: ssh.

I've tried what you suggested and didn't work.

0 Karma
Register for .conf21 Now! Go Vegas or Go Virtual!

How will you .conf21? You decide! Go in-person in Las Vegas, 10/18-10/21, or go online with .conf21 Virtual, 10/19-10/20.