For any of the proposed search to work, SubjectUserName in wineventlog must be an exact match of distinguishedName in adusers.  Given aduser is based on Active Directory and that you are expecting LDAP-like format in distinguishedName, I highly doubt the two fields can match exactly. You are probably expecting SubjectUserName to match CN in DN, instead of matching DN itself.  If this is the case, you cannot use simple lookup unless you can and are willing to modify aduser table.  If modifying the table is not an option, you have to use inputlookup.  This also means that the search is not going to perform too well if aduser is large.  But you can try something like this. index=wineventlog EventCode IN (4720, 4726, 4738, 4724) | join SubjectUserName [| inputlookup adusers | rename distinguishedName as _raw | kv kvdelim="=", pairdelim="," | where OU == "Information Technology" | rename CN as SubjectUserName ] ... View more

Thank you!! ❤️ ... View more

thank you!!!!!!!!!!!!! 🙂 ... View more

index=wineventlog EventCode=4725 | bin span=5m _time | stats count, values(user) by _time EventCode | where count > 10 ... View more

@weetabixsplunk  The concurrency command has no by-clause, and the concurrency field value it returns includes all observed events. In your case, all events is all VPN sessions. Assuming both Cisco and Fortinet solutions log events at session end with minimal indexing delay, you can find which users ended multiple sessions within a five minute window using streamstats: tag=network tag=session tag=vpn | streamstats time_window=5m count by user | where count>1 | table _time user count If you expect sessions to overlap with end times more than five minutes apart, you can modify the time_window argument. This isn't a perfect solution, but it may work well for ad hoc investigations. ... View more

I tried this but I keep getting a message saying  "Field ' time_bins' does not exist in the data" ... View more

Hi @weetabixsplunk !   Have a look here, and let me know if this helps : https://docs.splunk.com/Documentation/UBA/5.0.4/GetDataIn/AddPowerShell   Cheers, David ... View more

Normally what I would do to keep the intel kvstores clean and fresh is to limit the age of the entries by running a daily cleanup job: A simple vanilla flavored example: |inputlookup ip_intel |eval treshold = now()-86400 |where time>treshold ||outputlookup ip_intel ... View more