You're right, with the dedup it's better I'm glad we came to a solution together Happy splunking! 😀 ... View more

Hello @PiotrAp , In the query you can see the "SUCCESS" status on the second step of the authentication, so on the event 1001. The status of the event 1000 corresponding to this auth is still FAILURE because the second step didn't already happen. If you add a "| search event_id=1001" at the end of the search, does that solve your problem? You will have only the success event for user "test", but you will not have all the 1000 events that don't have a 1001 after. What do you want to keep exactly ? 🙂 ... View more

If you absolutely want to remove some fields, as they are defined by the add-on, you have two choices : - Edit the add-on by removing the corresponding lines in props.conf in the add-on folder, but you will have to patch that at each update of the add-on, that's generally not a good idea - Add a custom eval for each field you want to delete, by defining a new stanza in your local props.conf : [your_sourcetype] EVAL-your_fieldname=null()  ... View more

Hello @PiotrAp , You can try something like that : | makeresults | eval event_id=1000, username="test", Computer="xx1", _time=strptime("2025-06-30 16:26:27.01", "%Y-%m-%d %H:%M:%S.%N"), resource="example1" | append [| makeresults | eval event_id=1000, username="test", Computer="xx2", _time=strptime("2025-06-30 16:26:27.02", "%Y-%m-%d %H:%M:%S.%N"), resource="example2"] | append [| makeresults | eval event_id=1001, username="test", _time=strptime("2025-06-30 16:26:27.03", "%Y-%m-%d %H:%M:%S.%N"), resource="example3"] | append [| makeresults | eval event_id=1000, username="truc", Computer="yyy", _time=strptime("2025-06-30 16:26:29", "%Y-%m-%d %H:%M:%S"), resource="example2"] | append [| makeresults | eval event_id=1001, username="truc", Computer="yyy", _time=strptime("2025-06-30 16:26:32", "%Y-%m-%d %H:%M:%S"), resource="example3"] | sort _time | streamstats time_window=1s last(event_id) AS current_event_id, last(eval(if(event_id=1000,event_id,null()))) AS previous_event_id, last(eval(if(event_id=1000,_time,null()))) AS previous_time, last(eval(if(event_id=1000,Computer,null()))) as previous_computer, last(resource) AS current_resource by username | eval status = if(current_event_id=1001 and previous_event_id=1000,"SUCCESS","FAILURE") (The makeresults lines are here to generate some data to test the query) In the results, you can see that the "success" status has the time & the computer of the previous event 1000 in the "previous_time" and "previous_computer" fields, and the resource of the event 1001 in the current_resource field.  (I handled the case you have multiple 1000 event before the 1001, we want to keep only the fields of the last 1000 event) The user "truc" doesn't have a success event because the 2 events aren't in a 1s time window. If you run this query you will see the results like : Computer _time current_event_id current_resource event_id previous_computer previous_event_id previous_time resource status username                       xx1 2025-06-30 16:26:27.010 1000 example1 1000 xx1 1000 1751293587.010000 example1 FAILURE test xx2 2025-06-30 16:26:27.020 1000 example2 1000 xx2 1000 1751293587.020000 example2 FAILURE test   2025-06-30 16:26:27.030 1001 example3 1001 xx2 1000 1751293587.020000 example3 SUCCESS test yyy 2025-06-30 16:26:29.000 1000 example2 1000 yyy 1000 1751293589.000000 example2 FAILURE truc yyy 2025-06-30 16:26:32.000 1001 example3 1001       example3 FAILURE truc Does that answer your question? 🙂 ... View more

Hello @Kosyay , Those additionnal lowercase fields are defined by the Splunk_TA_Windows add-on to be compliant with Splunk CIM. You can find the list of the CIM fieldnames here : https://help.splunk.com/en/splunk-cloud-platform/common-information-model/6.0/data-models/cim-fields-per-associated-data-model The CIM helps you to normalize your data to match a common standard, using the same field names and event tags for equivalent events from different sources or vendors. So I'm not sure you want to remove those fields 😉 If you want to see where those fields are defined, open the add-on archive, and you will see the alias and eval definitions in the file "Splunk_TA_windows\default\props.conf" ... View more