What is the retention period on your index - you may need to extend it beyond 3 months. Alternatively, create a report to "archive" the essential information to a summary index with a longer retention period. ... View more

Hi @darphboubou , I haven't event samples so I cannot see the field in interesting fields panel, so, running the main search  index=windows EventCode=3000 source="WinEventLog:Microsoft-Windows-SMBServer/Audit" which fields do you have in Interesting Fields panel? Choose the ones to use for stats searches: e.g. if you want the number for user or for host, you could run something like: index=windows EventCode=3000 source="WinEventLog:Microsoft-Windows-SMBServer/Audit" | stats count BY user or  index=windows EventCode=3000 source="WinEventLog:Microsoft-Windows-SMBServer/Audit" | chart count OVER user BY host then choose the fields to display in a table search: index=windows EventCode=3000 source="WinEventLog:Microsoft-Windows-SMBServer/Audit" | table _time host user domain action ... As I said the most valuable job is to know what to search, then you can learn how to search in Splunk using the Search Tutorial. Saving these searches in different dashboard's panels, you'll have your dashboard, to monitor your Use Case Ciao. Giuseppe ... View more

The challenge with using the host field from the windows index is the stats command does not provide that field.  The command would have to be changed to include the field so it can be added to subsequent table commands for display. index="windows" EventCode=4624 AND (host=*) Authentication_Package=NTLM Account_Domain!="NT AUTHORITY" (Package_Name__NTLM_only_="NTLM V1" OR Package_Name__NTLM_only_="NTLM V2") | stats values(Package_Name__NTLM_only_) as Package_Name__NTLM_only_ ***values(host) as host*** by Workstation_Name | where (mvcount(Package_Name__NTLM_only_)=1 AND Package_Name__NTLM_only_="NTLM V1") | join type=left Workstation_Name [ search index=bel_ldapsearch AND (type=server) earliest=-1d@d latest=@d | table name operatingSystem | rename name as Workstation_Name operatingSystem as os] | table Workstation_Name Package_Name__NTLM_only_ os ***host*** | where isnotnull(os) | sort Workstation_Name I used *** to indicate new code.  Remove them before running the query. ... View more

Hi @darphboubou, to execute the first search you don't need all the things you have in the lookup generation, so you should try something like this: index=windows EventCode=4624 [ search index="windows" Authentication_Package=NTLM Account_Domain!="NT AUTHORITY" Package_Name__NTLM_only_="NTLM V1" | fields Workstation_Name ] | lookup damtest2.csv Server AS Workstation_Name OUTPUT os | table Workstation_Name os Package_Name__NTLM_only_ | dedup Workstation_Name Package_Name__NTLM_only_ | sort Workstation_Name | where Package_Name__NTLM_only_="NTLM V2" Ciao. Giuseppe ... View more

Hi @darphboubou, nothing: no commas or other between fields. You have only to put attention to the field names. ciao. Giuseppe ... View more

done :).     ... View more