I need AD auth events and some have multiple entries for Account Name field. One entry is a hyphen (-). Can someone help me build a query to split these into 2 columns, so I can use the entry with the value and not the one with hyphen (-)
Subject:
Security ID: S-1-0-0
Account Name: -
Account Domain: -
Logon ID: 0X0
Logon Type: 3
Account For which Logon failed:
Security ID: S-1-0-0
Account Name: xyz
Account Domain: domain.local
I need only the Account name information in the event where logon failed. But when I use an eval, am unable to get only 'xyz'
Any help is appreciated.
R
Sharad
... View more