Community
Splunk Answers
Splunk Administration
Deployment Architecture
Getting Data In
Installation
Security
Knowledge Management
Monitoring Splunk
Using Splunk
Splunk Search
Dashboards & Visualizations
Splunk Dev
Alerting
Reporting
Other Usage
Splunk Platform Products
Splunk Enterprise
Splunk Cloud Platform
Splunk Data Stream Processor
Splunk Data Fabric Search
Splunk Premium Solutions
News & Education
Blog & Announcements
Community Blog
Product News & Announcements
Practitioner Resources
Adoption Boards
Community Office Hours
Splunk Tech Talks
Great Resilience Quest
Training & Certification
Training + Certification Discussions
Training & Certification Blog
Community Lounge
Getting Started
Welcome
Feedback
SplunkTrust
User Groups
Splunk Love
Apps and Add-ons
All Apps and Add-ons
User Groups
Resources
SplunkBase
Developers
Documentation
Splunk Ideas
Sign In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Search instead for
Did you mean:
All community
Knowledge base
ashishdesai
Users
Products
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Search instead for
Did you mean:
Ask a Question
About ashishdesai
ashishdesai
New Member
Member since:
02-24-2017
06-05-2020
Community Statistics
Posts
1
Solutions
0
Karma Given
0
Karma Received
0
Member Since
02-24-2017
Activity Feed
Posted
Re: How do I find Active Directory usernames logging in to ADFS from the Outlook App for iOS or Android?
on
Splunk Search
.
02-24-2017
02:22 PM
Topics I've Started
No posts to display.
View All
Latest Contributions by ashishdesai
Topics ashishdesai has Participated In
Latest Contributions by ashishdesai
Re: How do I find Active Directory usernames loggi...
by
ashishdesai
in
Splunk Search
02-24-2017
02:22 PM
02-24-2017
02:22 PM
> index=AD host=YOURSTSBOX > EventCode=500 OR EventCode=501 OR > EventCode=299 | rex "Instance > id:\s+(?<instance>\S+)" | > transaction instance maxspan=5s | rex > "Relying party:\s+(?<rely>\S+)" | rex > "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname\s+(?<nt_account>\S+)" > | stats dc(nt_account) as count by > rely|sort -count
... View more
Contact Me
Online Status
Offline
Date Last Visited
06-05-2020
02:04 AM