index=timswindows sourcetype=ActiveDirectory
[search index=timswindows sourcetype=WinEventLog EventCode=4624 Account_Name!="-"
| dedup Account_Name
| stats values(Account_Name) as sAMAccountName]
| dedup distinguishedName
|fields sAMAccountName, distinguishedName, host
|chart count by distinguishedName
The field in question is "distinguishedName".
There about 4 possible keywords that could be in this field.
How do I filter them out in the chart?
↧