Thank you sir! ... View more

Hello , search is like: index=FW  |stats count by Src,Dst,sni results are like: 192.168.1.12    2.23.259.24   assets.msn.com 192.168.1.20    3.68.77.130    in the second row, the sni is empty. using a workflow, I can get the info of this IP (Amazon Technologies) but I have 2 issues: 1- I just need to get back single field (for example: Organization) 2- I want to be able to have this field (result of the workflow OR kind of External web lookup!) available in my reports and search results, like an extracted field. Thank you in advance for your kind support.   ... View more

Hi, Sorry, I am afraid I did not get what is this? would you please elaborate? Thank you ... View more

Yes, I was using this stats command. My concern is about the chart, so it seems this is the only way: to not attach PDF and include the Table inline.   Thank you very much ... View more

I have added the search and chart, but seems in wrong level. Please check. Thank you ... View more

Hi, search is like: index=FW |table Src,Dst,pt |dedup Src,Dst,pt |rename Src as "Source",Dst as "Destination", pt as "Port" chart is like: Which I do not need it. I managed for now as a workaround to Not attache PDF and use Inline Table. Is it the only way to do this? Thank you   ... View more

Any one can assist please? ... View more

@gcusello  Appreciate your support ad assistance. Thank you ... View more

@gcusello  Appreciate your advices. When I try  sourcetype=WinHostMon Type=Application I do not have data back. when I run  Get-WmiObject -Class Win32_Product * in powershell it gets data , but nothing on install date. I tried to modify the inputs.conf and add: [WinHostMon://application] type = application interval = 60 but no data ingested. Unfortunately I got lost with the scripting method. Isn't it possible just to modify the inputs.conf? Thank you again. ... View more

Hello @gcusello , Thank you, I have Windows TA but in the config I have [WinEventLog://Application], would you please advise about Discovery? and how to enable/use it? Or a reference please? Appreciate your advise. Thank you ... View more

Thank you, It works, however I am still worried that I may lose some events. Thank you very much for your help. ... View more

Ah, yes. Now I got your point regarding the time. I will handle it, thank you. Back to main issue: - I have one indexer only. - I compared 2 problematic events. the only differences are: Logon ID:  (0x32E964BA , 0x32E964D4) Source Port: (54833,54835) What is the solution? How to ignore these? Thank you again ... View more

Dear @ITWhisperer   Thank you for your response. As for the where clause, I agree. date_hour does not hold the data, hour field is ok. we need to now about working in forbidden hours, which is after 11 PM until 6 AM. The result I have has same hostname, same event code 4624. This is main search I have with results attached: index=main source="WinEventLog:Security" EventCode="4624" OR EventCode="539" OR (EventCode="529" AND EventCode="537") OR (EventCode="547" AND EventCode="549") |where (Logon_Type!=3 OR ( NOT LIKE(host,"DC%"))) AND Logon_Type!=9 | eval Signed_Account=mvindex (Account_Name,1) |eval hour=strftime(_time,"%H") |regex Signed_Account!="\$" | search Signed_Account=* Signed_Account!="SYSTEM" Signed_Account!="ANONYMOUS LOGON" Signed_Account!="Administrator" (hour>23 OR hour<6) | table host,Signed_Account,EventCode,_time ... View more