About pateld

pateld · ‎09-16-2016

I was "sort" command which has limit for 10000 thanks

piebob · ‎05-27-2016

patel, please don't post a comment as an answer. there is a link to 'add comment'. thanks.

woodcock · ‎05-28-2016

First you need to build a list of Domain Controllers and save it as a lookup. Let's assume that you have done this and it has a single column/field called host and is in a lookup definition called DCs (pointing to a lookup file called anything you like). Then you can do this: index=yourIndexHere "Account Name" = "*-admin*" (EventCode="538" OR EventCode="4634" OR EventCode="528" OR EventCode="540" OR EventCode="4624" OR EventCode="551" OR EventCode="4647") [|inputlookup DCs]

BenTan · ‎09-08-2016

Hi, Not sure if this is related, we did face an issue with one of the Administrator Audit panels under the Active Directory section: Administrator Logons. After troubleshooting, we discovered part of the search was incorrect which leads to inaccurate results return. The default search for the panel is as below: eventtype=msad-successful-user-logons dest_nt_domain="$select242$" user="$select244$"|rename src as src_ip|`ip-to-host`|`fix-localhost`|lookup SiteInfo host|dedup consecutive=t Site,src_nt_host,src_ip|table _time,Site,src_nt_host,src_ip|rename src_nt_host as Workstation,src_ip as "IP Address" Just remove the |rename src as src_ip and the panel should return the proper result. Hope this help!

Posts	6
Solutions	0
Karma Given	0
Karma Received	1
Member Since	‎05-16-2016

Online Status	Offline
Date Last Visited	‎06-05-2020 02:04 AM

How to use the C# SDK to return a large search res...

dnslookup for Ip6

How can I search Windows security events to track ...

Splunk App for Windows Infrastructure: How to get ...

Re: How to use the C# SDK to return a large search...

Re: dnslookup for Ip6

Re: How can I search Windows security events to tr...

Re: Splunk App for Windows Infrastructure: How to ...

Join the Conversation