Worked in Chrome ... View more

If there were three or more consecutive events, they would all be added in. You can possibly see this already if you check the field "eventcount". OH! I see why. Sorry, I wasn't paying close enough attention. In the initial search, you search ONLY for (EventCode=5059 OR EventCode=4648) . So that's all you get. And if you then build a transaction starting with 5059 and ending with 4648... Try removing that bit. sourcetype="WinEventLog:Security" host=PC* | transaction maxspan=5s startswith=eval(EventCode=5059) endswith=eval(EventCode=4648) keeporphans=false host | table _time,host,EventCode,Account_Name Let me know if that's better. 🙂 -Rich ... View more

hey Try this run anywhere search | makeresults | eval raw="bla\johnny99 tstbla\wawster ble\kd0493487" | makemv raw | mvexpand raw | rex field=raw "(?<domain>\w{2,6})\\\\(?<account>.{3,15})" In your environment, you shuld try <your_base_saerch> | rex field=_raw "(?<domain>\w{2,6})\\\\(?<account>.{3,15})" let me know if this helps! ... View more

Thanks! That works!!! ... View more