Find a specific user from active directory logs
So I am tweaking the pre-built searches for active directory and don't get how to parse a specific username string. Like I am looking for all users starting with the string "zz" at their beginning. I tried using the query,
where dest_user="zz*"
Where the wildcard should be enough to tell it to find any users starting with "zz". This doesn't seem to work. Any support on the matter would be appreciated. Thanks. -
Hi Saad- if you're using Field Extractions you could have a query like this: _SourceCategory=Win* dest_user=zz* | count by dest_user because the field is preparsed with FER, you could use it in the first search bucket. otherwise, if you're parsing inline in your query (custom or using a public parser), something like this should work: _SourceCategory=Win* | parse "" as dest_user | where dest_user matches "zz*" | count by dest_user in your case the '=' operator is doing a literal string comparison within the where clause, so looking for an explicit asterisk. using the matches operator will allow you to wildcards in a where clause. -
You can also use the matches operator in place of the "=" sign in your current query, eg: where dest_user matches "zz*" More info on the matches operator can be found here: http://help.sumologic.com/Search/Search_Query_Language/Search_Operators/matches
Please sign in to leave a comment.
Comments
2 comments