Hi Splunker;
I have the below search:
index=winevents host=prdaddc02 OR host=PRDADDC01 OR host=DZITHQ-DC3 sourcetype="WinEventLog:Security" signature="An account was successfully logged on" OR signature="Special privileges assigned to new logon" src_nt_host=* NOT [| inputlookup list_kasperSky.csv] NOT [| inputlookup list_not_use_kasperSky.csv] | fields src_nt_host | table src_nt_host | dedup src_nt_host
This search compare between the above lookups table and the windows security logs, if any host not existing in those lookups table but existing in windows logs will appear in the result, this search compare for (src_nt_host) field.
After run the search Splunk show result no existing in windows logs, why appeared this results?
Please help me in that.
BR;
↧