I am trying to get the top 10 Failed Login count by User. The problem is that Windows 2008 uses "Account_Name" and Windows 2003 uses "User_Name" so I've used eval to combine the two fields but I am also using rex to go to the second instance of the Account_Name in the Windows 2008 event. The rex expression doesn't seem to work when I throw eval in there. Below is my search string, any suggestions?
source="WinEventLog:Security" EventCode="4625" OR EventCode="529" |eval USER=coalesce(Account_Name,User_Name) | rex "(?ms)Account For Which Logon Failed.+?Account Name:\s+(? \V+)" |stats count by USER |sort -count |head 10
... View more