I have some Windows event log data that shows the ID when a user logs in and logs out. In addition, it shows me the audited actions taken by the user throughout their session. The generated table always starts with the login and always ends with the logout. Since I already know the login/logout messages, I don't want to see them in the audited actions.
How can I display the `2nd to n-1` values of the audited actions?
**Current search**
index=win user=testcase | transaction user startswith="EventCode=4624" endswith="EventCode=4647" mvlist=t | eval loginid=mvindex(id,0) | eval logoutid=mvindex(id,-1) | eval user=mvdedup(user) | table loginid, logoutid, user, audit_action
**Current output**
loginid logoutid user audit_action
5073518 2519740 testcase An account was successfully logged on
A new process has been created
A new handle to an object was requested
A privileged service was called
An account was logged off
User initiated logoff
I would like to see everything above, except the first and last audit actions. How do I hide/remove them? There is no `mvindex(audit_action, n-1)`
**SOLVED - Final Working Search**
index=win user=testcase | transaction user startswith="EventCode=4624" endswith="EventCode=4647" mvlist=t | eval loginid=mvindex(id,0) | eval logoutid=mvindex(id,-1) | eval user=mvdedup(user) | eval audit_action=mvindex(audit_actions,1,mvcount(audit_action)-2) | table loginid, logoutid, user, audit_action
↧