Hello community! I'm looking for a way to optimize this search below and I need some help : index="oswinsec" source="XmlWinEventLog:Security" TargetUserName Kerberos earliest=-5min
| regex TargetUserName="^([a-z]+)\.([a-z]+)"
| regex IpAddress="\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}" | eval Octet1=mvindex(split(IpAddress,"."), 0) | eval Octet2=mvindex(split(IpAddress,"."), 1) | eval Octet3=mvindex(split(IpAddress,"."), 2) | where (Octet1=10 AND Octet2=244 AND Octet3>=192 AND Octet3<=255) OR (Octet1=172 AND Octet2=24)
| dedup TargetUserName | table TargetUserName IpAddress Thanking you!! regards
... View more