This is my current search query: index=wineventlog EventCode=4724 OR EventCode=4723 ([| inputlookup AD_Obj_User WHERE domain="mydomain" AND [| inputlookup AD_Obj_Group WHERE dn="cn=domain admins,cn=users,dc="mydomain",dc=com" | fields member | rename member as dn | table dn | format] | fields sAMAccountName | stats values(sAMAccountName) AS search | table search | format]) | fields _time,host,src_user, user, sourcetype, EventCode, signature, _raw | stats count AS Total_Events,max(_time) as Last_Time BY EventCode, signature, src_user, user | search ([| inputlookup AD_Obj_User WHERE domain="mydomain" AND [| inputlookup AD_Obj_Group WHERE dn="cn=domain admins,cn=users,dc="mydomain",dc=com" | fields member | rename member as dn | table dn | format] | fields sAMAccountName | stats values(sAMAccountName) AS user | table user | format]) | eval Last_Time=strftime(Last_Time, "%m/%d/%y %I:%M:%S %P")
... View more