Find a specific user from active directory logs

Comments

2 comments

  • Avatar
    Kelly Hamm
    Hi Saad- if you're using Field Extractions you could have a query like this: _SourceCategory=Win* dest_user=zz* | count by dest_user because the field is preparsed with FER, you could use it in the first search bucket. otherwise, if you're parsing inline in your query (custom or using a public parser), something like this should work: _SourceCategory=Win* | parse "" as dest_user | where dest_user matches "zz*" | count by dest_user in your case the '=' operator is doing a literal string comparison within the where clause, so looking for an explicit asterisk. using the matches operator will allow you to wildcards in a where clause.
    0
    Comment actions Permalink
  • Avatar
    Mike Lupiani
    You can also use the matches operator in place of the "=" sign in your current query, eg: where dest_user matches "zz*" More info on the matches operator can be found here: http://help.sumologic.com/Search/Search_Query_Language/Search_Operators/matches
    0
    Comment actions Permalink

Please sign in to leave a comment.