×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
ashishdesai
New Member
Member since: ‎02-24-2017
‎06-05-2020
Community Statistics
Posts 1
Solutions 0
Karma Given 0
Karma Received 0
Member Since ‎02-24-2017
Topics I've Started
No posts to display.
View All

Re: How do I find Active Directory usernames loggi...

by in Splunk Search
‎02-24-2017 02:22 PM
‎02-24-2017 02:22 PM
> index=AD host=YOURSTSBOX > EventCode=500 OR EventCode=501 OR > EventCode=299 | rex "Instance > id:\s+(?<instance>\S+)" | > transaction instance maxspan=5s | rex > "Relying party:\s+(?<rely>\S+)" | rex > "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname\s+(?<nt_account>\S+)" > | stats dc(nt_account) as count by > rely|sort -count ... View more
Contact Me
Online Status
Offline
Date Last Visited
‎06-05-2020 02:04 AM