Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

count eval, error using AND

nataliamur
New Member
‎12-03-2019 03:44 AM

Hello, I'd like to count events from Windows Logs in my search that include both EventCode="4624" as well as Account_Name!=ssh*, so that it would count events that have event code=4624 and doesn't have an account name starting with ssh.
I'm trying with this:
| stats count(eval(EventCode="4624") AND Account_Name!-=ssh*) as Logged_On
but an error shows up telling "The eval expression for dynamic field 'eval(EventCode="4624") AND eval(Nazwa_konta!=ssh*)' is invalid. Error='The operator at ') AND eval(Nazwa_konta!=ssh*' is invalid.'."
Any ideas how to make it fix?

0 Karma
Reply

kamlesh_vaghela
SplunkTrust
SplunkTrust
‎12-03-2019 04:19 AM

@nataliamur

Can you please try this?

YOUR_SEARCH | stats count(eval(EventCode="4624" AND NOT like(Account_Name,"ssh%"))) as Logged_On

You can change field name and comparison as per your requirement.

Sample:

| makeresults 
| eval EventCode="4624",Account_Name="ssh" 
| stats count(eval(EventCode="4624" AND NOT like(Account_Name,"ssh%"))) as Logged_On

Thanks

0 Karma
Reply

nataliamur
New Member
‎12-09-2019 02:12 PM

Hi,

maybe I should give you a wider code of what I'm trying to do:

source="WinEventLog:Security"
| stats count(eval(EventCode="4624" AND NOT like(Account_Name,"ssh%")))) as Logged_ON count(eval(EventCode="4625")) as Fail by ComputerName
| where Logged_On>0 AND Fail >2

So I'm trying to put in "Logged_On" these events that have EventCode=4624 and don't have an account name: ssh.

I've tried what you suggested and didn't work.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

After a whole week of being on call, you fell asleep on your keyboard, and you hit a sequence of buttons that ...