Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Results on one value matching two AND field results

chrisschum
Path Finder
‎03-30-2018 06:21 AM

I'm trying to figure out a way to find out if an unknown user name matches two Windows Event Codes for a dashboard.

I want to search if a userID (Account_Name) matches both Event Codes 4740 and 4625, so that I can create a simple dashboard where you can input a userID and the results will only show those that match both codes above.

Thanks!

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

dragonakai
Engager
‎03-30-2018 07:02 AM

I recommend something like this. You can manipulate it further to make the formatting pretty or easy to read. You could also attempt a transaction, but I think this will be faster. Also, you will want to mess with the span in the bin command. 5 minutes may be too small. You could make that a token for a dashboard input, like with userid.

sourcetype=wineventlog* Account_Name=$userid$ EventCode=4740 OR EventCode=4625
| bin _time span=5m
| stats values(Message) values(EventCode) AS EventCodes by _time
| eval EventCodeCount=mvcount(EventCodes)
| search EventCodeCount=2

View solution in original post

Reply
Solved! Jump to solution
Solution

dragonakai
Engager
‎03-30-2018 07:02 AM

I recommend something like this. You can manipulate it further to make the formatting pretty or easy to read. You could also attempt a transaction, but I think this will be faster. Also, you will want to mess with the span in the bin command. 5 minutes may be too small. You could make that a token for a dashboard input, like with userid.

sourcetype=wineventlog* Account_Name=$userid$ EventCode=4740 OR EventCode=4625
| bin _time span=5m
| stats values(Message) values(EventCode) AS EventCodes by _time
| eval EventCodeCount=mvcount(EventCodes)
| search EventCodeCount=2

Reply
Solved! Jump to solution

chrisschum
Path Finder
‎03-30-2018 10:28 AM

That worked like a champ! Thanks!

0 Karma
Reply
Get Updates on the Splunk Community!

Index This | I’m short for "configuration file.” What am I?

May 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with a Special ...

New Articles from Academic Learning Partners, Help Expand Lantern’s Use Case Library, ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Your Guide to SPL2 at .conf24!

So, you’re headed to .conf24? You’re in for a good time. Las Vegas weather is just *chef’s kiss* beautiful in ...