Hi @alex4 - Does something like this help you get to where you want to be: index=winsec_prod EventCode=4662 ObjectName=*EncryptedDSRMPasswordHistory*
| eval username=coalesce(src_user,user,user_...
See more...
Hi @alex4 - Does something like this help you get to where you want to be: index=winsec_prod EventCode=4662 ObjectName=*EncryptedDSRMPasswordHistory*
| eval username=coalesce(src_user,user,user_id), Computer=coalesce(Computer,ComputerName)
| stats values(dest) values(Object_Name) values(ScriptBlockText) by _time, index, sourcetype, EventCode, Computer, username You were referring to EventID in your New Condition, but your SPL was using a field name of EventCode. Also, it looks like the ObjectName field contains the EncryptedDSRMPasswordHistory based on the SPL you shared instead of the Properties field given in your New Condition. Also, I removed the | search in my SPL sample. There's an implied search command happening for SPL, and so if you have | search as your first commmand you can collapse the boolean expression into the first implied search.