So this is what I ended up doing (it uses suggestions from a couple of the above posts):
index=[my index] host=[my hosts] sourcetype=XmlWinEventLog:Security EventCode=4624 (LogonType=10 OR LogonType=2 OR LogonType=7)
|search user!="ANONYMOUS LOGON" user!="*$" user!="SYSTEM"
|table _time, user, LogonType, Description, Computer
|lookup Logon.csv LogonType OUTPUT Description
|rename _time AS Time, user AS User, Computer AS Host, LogonType AS "Logon Type"
|sort -Time
|convert timeformat="%a %b %d, %Y %I:%M:%S %p" ctime(Time) As Time
I created a lookup.csv file with the three logon types and corresponding descriptions. I can always add more if necessary. So now my table shows Time, User, Logon Type, Description, and Host columns. I was hoping there was a way to get rid of the Description column and just replace the "Logon Type" result (e.g, 10,7, or 3) with the Description text. Thanks for the help. I'm not sure which reply would be the best "Accepted" answer.
... View more