hello all, I am trying to figure out why my iplocation report isnt providing the city,country under statistics. Below is my search that is providing the IP field in the table but the other two columns are blank. Any assistance would be great here.  index=wineventlog EventCode=4624 | search src_ip="*" ComputerName="*" user="*" | eval "Source IP" = coalesce(src_ip,"") | eval clientip=src_ip | iplocation allfields=false "Source IP" | table "Source IP", city, country ... View more

Hi all, I am struggling a bit with incorporating a lookup into my searches.  I have a lookup file that is a single column of IP addresses and a header of TORIP. It should be a pretty basic search index=* src_ip=* followed by the lookup. I added the lookup file and lookup definition but when I run a search it fails saying the lookup table doesnt exist.    ... View more

Hi All, I am looking to create an alert based on the following base search. index=wineventlog w19tax.exe app_name=W19TAX . I am specifically looking for the alert to only trigger when the same SID comes up multiple time for the same application. example event: 09/29/2021 04:21:08 PM LogName=Microsoft-Windows-AppLocker/EXE and DLL SourceName=Microsoft-Windows-AppLocker EventCode=8002 EventType=4 Type=Information ComputerName=BPOLCP01S12.rightnetworks.com User=NOT_TRANSLATED Sid=S-1-5-21-2605281412-2030159296-1019850961-762275 SidType=0 TaskCategory=None OpCode=Info RecordNumber=39961045 Keywords=None Message=D:\PROGRAM FILES\LACERTE\19TAX\W19TAX.EXE was allowed to run. ... View more

Hi All, I am looking for a little help with a search today. I am looking to create an alert based on this search that only triggers when the same hostname comes up twice in a row.  so far the search I have is I am unsure how to include/return two machines of the same name: index="login_pi" source="WinEventLog:LoginPI Events" SourceName="Application Threshold Exceeded" | rex field=_raw "Actual value\\\":\s+\\\"(?<actual_value>\d+)" | search actual_value>=10 | table Target,actual_value,ApplicationName,Title here is an example event: 07/14/2021 10:39:49 AM LogName=LoginPI Events EventCode=800 EventType=4 ComputerName=RNBSVSIMGT02.rightnetworks.com SourceName=Application Threshold Exceeded Type=Information RecordNumber=1786721 Keywords=Classic TaskCategory=None OpCode=Info Message={ "Description": "Measurement duration (7.561s) exceeded threshold of 5s (51.22%)", "Actual value": "7.561", "Threshold value": "5", "Measurement": "quickbooksopen_2021", "Locale": "English (United States)", "RemotingProtocol": "Rdp", "Resolution": "1920 × 1080", "ScaleFactor": "100%", "Target": "BPOQCP01S01", "TargetOS": "Microsoft Windows Server 2016 Standard 10.0.14393 (1607)", "AppExecutionId": "4ed43186-648c-4e8e-96ee-9e4b52e468cb", "AccountId": "a4a6655b-f7ac-4783-aec5-698a146eb2cf", "AccountName": "rightnetworks\\eloginpi082", "LauncherName": "RNBSVSI23", "EnvironmentName": "BPOQCP01S01", "EnvironmentId": "bc31c8f6-e8c0-4278-93c3-08d8040960f8", "ApplicationName": "QB_2021_Open", "ApplicationId": "ece9c6b9-6662-45be-970d-2708603ca13b", "Title": "Application threshold exceeded" } ... View more

Hello all,   Looking for some help with a perfmon search.  index=perfmon host=myhost01s* sourcetype="PerfmonMk:LogicalDisk"  instance=_total | timechart sum(Disk_Transfers/sec) span=90s   This gives me all the IO of the hosts, but it only seems accurate if I chart it to 90s span, which is how often it queries. If I change that then the sum obviously just puts all the values together. What I want to do is show longer periods of time, but still have it counting the sum of each reading (like a bucket) over time and not adding all numbers over the whole period (span) together. I want to force it to always use the time as the bucket. Any help is much appreciated. ... View more