- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have a wineventlog index to alert on locked accounts (EventCode=4740), but want to limit this based on certain users. The data for the wineventlog index is pretty limited, so it looks like I would have to reference another index like activedirectory, that contains similar data. I was thinking I could reference the "OU" field in the activedirectory index so that this is possible, but I'm struggling on what I need to combine in order to make this search work. I've looked at using coalesce, and can get results from both indexes/sourcetypes, but can't seem to just limit my search using EventCode=4740 and OU=Test Users Group.
(index="wineventlog" AND sourcetype="wineventlog" AND EventCode=4740) OR (index="activedirectory" AND sourcetype="ActiveDirectory" AND sAMAccountName=*)
| eval Account_Name = lower( coalesce( Account_Name, sAMAccountName))
| search Account_Name="test-user"
Some of the key fields that I'm trying to reference from the indexes are as follows:
Account_Name = dc
index = activedirectory
sourcetype = ActiveDirectory
Account_Name = test-user
sAMAccountName = test-user
OU = Test Users Group
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I am not sure what you are missing here - if you want to also restrict the AD data then also add in the search constraint
(index="wineventlog" AND sourcetype="wineventlog" AND EventCode=4740) OR
(index="activedirectory" AND sourcetype="ActiveDirectory" AND sAMAccountName=* AND OU="Test Users")
| eval Account_Name = lower( coalesce( Account_Name, sAMAccountName))
| search Account_Name="test-user"There is nothing wrong with your logic as such, so at this point you will have a data stream contains two types of event - what are you now looking to do with this?
I expect you are wanting to combine these data sets according to Account_Name, so you would typically do
| stats values(*) as * by Account_Namebut before doing that type of wildcard stats, limit the fields to what you want with a fields statement before it, i.e.
| fields Account_Name a b c x y z- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I am not sure what you are missing here - if you want to also restrict the AD data then also add in the search constraint
(index="wineventlog" AND sourcetype="wineventlog" AND EventCode=4740) OR
(index="activedirectory" AND sourcetype="ActiveDirectory" AND sAMAccountName=* AND OU="Test Users")
| eval Account_Name = lower( coalesce( Account_Name, sAMAccountName))
| search Account_Name="test-user"There is nothing wrong with your logic as such, so at this point you will have a data stream contains two types of event - what are you now looking to do with this?
I expect you are wanting to combine these data sets according to Account_Name, so you would typically do
| stats values(*) as * by Account_Namebut before doing that type of wildcard stats, limit the fields to what you want with a fields statement before it, i.e.
| fields Account_Name a b c x y z- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks for your help 🙂 Combining the data sets using "| stats values(*) as * by Account_Name" I was able to get what I'm looking for:
(index="wineventlog" AND sourcetype="wineventlog" AND EventCode=4740) OR
(index="activedirectory" AND sourcetype="ActiveDirectory" AND sAMAccountName=* AND OU="Test Users")
| eval Account_Name = lower( coalesce( Account_Name, sAMAccountName))
| search Account_Name=*
| stats values(*) as * by Account_Name
| where EventCode=4740 AND OU="Test Users"
| fields Account_Name EventCode OU
