index=timswindows sourcetype=ActiveDirectory
[search index=timswindows sourcetype=WinEventLog EventCode=4624 Account_Name!="-"
| dedup Account_Name
| stats values(Account_Name) as sAMAccountName]
| dedup distinguishedName
|fields sAMAccountName, distinguishedName, host
|chart count by distinguishedName
The field in question is "distinguishedName". There about 4 possible keywords that could be in this field. How do I filter them out in the chart.
↧