Some Failed Logon dashboards return no results on the search head, but the dashboards are working on the indexers.
eventtype=msad-failed-user-logons (host="*")|fields _time,signature,src_ip,src_host,src_nt_host,src_nt_domain,user,Logon_Type |`ip-to-host`|`fix-localhost`|stats count by src_nt_host,src_ip|sort -count|rename src_nt_host as "Workstation",src_ip as "IP Address"
Returns no results.
eventtype=msad-failed-user-logons (host="*")|fields _time,signature,src_ip,src_host,src_nt_host,src_nt_domain,user,Logon_Type |`fix-localhost`|stats count by src_nt_host,src_ip|sort -count|rename src_nt_host as "Workstation",src_ip as "IP Address"
does return results.
Indicating a failure of the macro`ip-to-host`. The macro (Settings-Advanced Search-Search Macros) exists in both locations with the same permissions.
How to fix the macro, or the underlying lookup, on the search head?
↧