Solved: Need assistance with a command for application.

jovnice · ‎02-21-2024

I keep getting an error message when I am attempting to this command

* EventCode=* user=* WinEventLog:Application
| eval src_nt_host=coalesce(src_nt_host,host)
| eval lockout=if(EventCode==644 OR EventCode==4740 OR EventCode==4624,"Yes","No")

| stats latest(_time) as time, latest(src_nt_host) as host, latest(lockout) as lockedout values(dest_nt_domain) as dest_nt_domain count(eval(EventCode=4625 OR EventCode=4771)) as count values(Source_Network_Address) as Source_Network_Address by user
| eval time=strftime(time,"%c")
| rename user to "User Name", Source_Network_Address to "IP Address", count to "Number of Failures"
| table dest_nt_domain "User Name" host lockedout time "IP Address" "Number of Failures"

I need to pull the application that are running in the event viewer. I was able to pull them in a different location, but I want it to say more information about with the user information.

jovnice · ‎02-21-2024

I also try this for my search: source="WinEventLog:Application" OR WinEventLog:Security EventCode=* user=*

Received this for a message: No results found. Try expanding the time range.

View solution in original post

jovnice · ‎02-21-2024

I also try this for my search: source="WinEventLog:Application" OR WinEventLog:Security EventCode=* user=*

Received this for a message: No results found. Try expanding the time range.

gcusello · ‎02-22-2024

Hi @jovnice ,

good for you, see next time!

Ciao and happy splunking

Giuseppe

P.S.: Karma Points are appreciated by all the contributors 😉

gcusello · ‎02-21-2024

Hi @jovnice ,

I hint to add index=wineventlog because gives you better performnces that the following solution!

anyway, if you don't want this olution, you could add the wineventlog index to the default search path (in [Settings > Roles> <your_role> > Indexes].

Ciao.

Giuseppe

VatsalJagani · ‎02-21-2024

@jovnice - Please specify index. If you don't know the index, run this search for a longer time range, something like the last 7 days or so.

index=* source="*WinEventLog:Application"

Try this search and see if you see any results. Once you see any results then you can add more search criteria.

I hope this helps!!! Kindly upvote if this helps!!

jovnice · ‎02-21-2024

Error in 'search' command: Unable to parse the search: Comparator '=' has an invalid term on the left hand side: "index-name">source.

The search job has failed due to an error. You may be able view the job in the

VatsalJagani · ‎02-22-2024

Please copy-paste the search query I gave.

Also, put your search query that you are trying to run here, so I can check what's wrong.

gcusello · ‎02-21-2024

Hi @jovnice,

WinEventLog:Application should be the source field and not a string as you are using.

Anyway, what's the error you're receiving?

Ciao.

Giuseppe

VatsalJagani · ‎02-21-2024

index=<index-name> source="WinEventLog:Application" EventCode=* user=*

Also, please mention the specific error that you are getting, so we can help!!

Need assistance with a command for application.

indexer

Windows

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

Troubleshooting the OpenTelemetry Collector

Adoption of Infrastructure Monitoring at Splunk