When I search this on its own it comes up with what I need but when I put it into the Dashboard it comes up with " Awaiting Data Input" (index=windows_* OR index=win*) (sourcetype="wineventlog:security" OR source="wineventlog:security" OR sourcetype="xmlwineventlog:security" OR source="xmlwineventlog:security" OR sourcetype="wineventlog*" OR source="wineventlog*" OR sourcetype="xmlwineventlog*" OR source="xmlwineventlog*") signature_id IN (4720 4722 4725 4726 4738) Target_Account_Name!=*$ Subject_Account_Name!=*$ | eval signature=coalesce(signature, EventCode_Description) | eval Computer_Name=coalesce(Computer_Name,ComputerName,Computer) | eval New_Message=coalesce(Message,message,body,EventData_Xml) | stats count earliest(_time) as earliest latest(_time) as latest values(Computer_Name) as src values(signature) as signature values(signature_id) as signature_id values(Logon_ID) as Logon_ID values(TaskCategory) as Task_Category values(Device_Name) as device by dest, Subject_Account_Name, Target_Account_Name, host | convert timeformat="%m/%d/%Y %H:%M:%S" ctime(earliest) | convert timeformat="%m/%d/%Y %H:%M:%S" ctime(latest) | fields count earliest latest Target_Account_Name Subject_Account_Name signature signature_id dest host src Logon_ID Task_Category   Any  ideas? ... View more

I am using a virtual server and all users are being seen as service accounts.  Which is causing my logon and admin account searches to show some very high numbers (authentications are showing as logons).  Is there a way to get the system to ignore the actual service accounts that are running that are not users where as both are being seen as a logon type 3 (Network)? ... View more