Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Need assistance with a command for application.

jovnice
Explorer
‎02-21-2024 08:44 AM

I keep getting an error message when I am attempting to this command 

* EventCode=* user=* WinEventLog:Application
| eval src_nt_host=coalesce(src_nt_host,host)
| eval lockout=if(EventCode==644 OR EventCode==4740 OR EventCode==4624,"Yes","No")

| stats latest(_time) as time, latest(src_nt_host) as host, latest(lockout) as lockedout values(dest_nt_domain) as dest_nt_domain count(eval(EventCode=4625 OR EventCode=4771)) as count values(Source_Network_Address) as Source_Network_Address by user
| eval time=strftime(time,"%c")
| rename user to "User Name", Source_Network_Address to "IP Address", count to "Number of Failures"
| table dest_nt_domain "User Name" host lockedout time "IP Address" "Number of Failures"

I need to pull the application that are running in the event viewer. I was able to pull them in a different location, but I want it to say more information about with the user information.

Labels (2)
Labels
Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

jovnice
Explorer
‎02-21-2024 11:27 AM

I also try this for my search: source="WinEventLog:Application" OR WinEventLog:Security EventCode=* user=*

 

Received this for a message: No results found. Try expanding the time range.

 

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

jovnice
Explorer
‎02-21-2024 11:27 AM

I also try this for my search: source="WinEventLog:Application" OR WinEventLog:Security EventCode=* user=*

 

Received this for a message: No results found. Try expanding the time range.

 

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎02-22-2024 07:00 AM

Hi @jovnice ,

good for you, see next time!

Ciao and happy splunking

Giuseppe

P.S.: Karma Points are appreciated by all the contributors 😉

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎02-21-2024 11:39 PM

Hi @jovnice ,

I hint to add index=wineventlog because gives you better performnces that the following solution!

anyway, if you don't want this olution, you could add the wineventlog index to the default search path (in [Settings > Roles> <your_role> > Indexes].

Ciao.

Giuseppe

0 Karma
Reply
Solved! Jump to solution

VatsalJagani
SplunkTrust
SplunkTrust
‎02-21-2024 10:34 PM

@jovnice - Please specify index. If you don't know the index, run this search for a longer time range, something like the last 7 days or so.

 

index=* source="*WinEventLog:Application"

 

Try this search and see if you see any results. Once you see any results then you can add more search criteria.

 

I hope this helps!!! Kindly upvote if this helps!!

Reply
Solved! Jump to solution

jovnice
Explorer
‎02-21-2024 11:14 AM
Error in 'search' command: Unable to parse the search: Comparator '=' has an invalid term on the left hand side: "index-name">source.
The search job has failed due to an error. You may be able view the job in the 
0 Karma
Reply
Solved! Jump to solution

VatsalJagani
SplunkTrust
SplunkTrust
‎02-22-2024 12:52 AM

Please copy-paste the search query I gave.

Also, put your search query that you are trying to run here, so I can check what's wrong.

Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎02-21-2024 09:59 AM

Hi @jovnice,

WinEventLog:Application should be the source field and not a string as you are using.

Anyway, what's the error you're receiving?

Ciao.

Giuseppe

 

0 Karma
Reply
Solved! Jump to solution

VatsalJagani
SplunkTrust
SplunkTrust
‎02-21-2024 10:50 AM 
index=<index-name> source="WinEventLog:Application" EventCode=* user=*

 

Also, please mention the specific error that you are getting, so we can help!!

0 Karma
Reply
Get Updates on the Splunk Community!

Index This | I’m short for "configuration file.” What am I?

May 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with a Special ...

New Articles from Academic Learning Partners, Help Expand Lantern’s Use Case Library, ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Your Guide to SPL2 at .conf24!

So, you’re headed to .conf24? You’re in for a good time. Las Vegas weather is just *chef’s kiss* beautiful in ...