Hi
I tried the below SPL query which is not working , can anyone help me
index=aws sourcetype=* earliest=-30d user="*" action=login OR action=logout | table user status action reason message
OR
source="*" EventCode=4624 OR EventCode=4634 | table _time Account* Logon*
OK, so take for example this query
index=aws sourcetype=* earliest=-30d user="*" action=login OR action=logout | table user status action reason message
If you run this query in verbose mode (but do last 15 minutes, not last 30 days), then in the events tab, you will see a list of fields. Do the fields you are using in the search exist?
Do you have permission to view events in the aws index?
In you just use index=aws for the last 15 minutes, do you see any data?
do you have the user and action fields and if you have action, what are the values.
If you are seeing nothing, then it will be one of
The best way to resolve this is to look at the field list (in verbose mode) so you can see the extracted fields and their typical values
basically i want to write SPL query to find out user log In & out in our website.
Hi
Yes, i am getting no data found
How do you know it's not working? Are you getting 0 results?
Do you know there is data that should appear?
Do all the fields you are searching by exist?