I need to modify a saved search. We are getting way too many emails due to exchange servers doing maintenance and resetting passwords for HealthMailbox and service accounts. With 3 domain controllers and 2 exchange servers, its really adding up. One way to stop it is in the field src_user eliminate if it has a $ sign in it, that indicates its a system account and not a user account. So I go to add this | where !(src_user contains"$") and I get the error above in the subject.
Here is the query and the new line added in bold below:
_sourceCategory = windows/events _sourceName=Security (4723 or 4724) ("EventCode = 4723;" or "EventCode = 4724;")
| parse "EventCode = *;" as event_id nodrop | parse "Computer = \"*\";" as host nodrop | parse "ComputerName = \"*\";" as host nodrop
| parse regex "Message = \"(?<msg_summary>[^\r]+?)\r" nodrop
| parse regex "Logfile = \"Security\";[\s\S]+?Account Name:\s+(?<src_user>[^\r]+?)\r[\s\S]+?Account Domain:\s+(?<src_domain>[^\r]+?)\r[\s\S]+?Account Name:\s+(?<dest_user>[^\r]+?)\r" nodrop
| where event_id in ("4723","4724")
| fields host, event_id, msg_summary, src_user, src_domain, dest_user
| where !(src_user contains"$")
When I view the data, this effectively filters the data out but when I click Save it says:
Please sign in to leave a comment.