Hey everyone
We updated to Splunk 6.2.6 and now some of our searches don't work anymore, and I was wondering if someone could look at the search string I have and see why it is not pulling up all the failed logins when someone is using RDP. Every time I try to run this, I get an error back that says "NO matching fields exist". I didn't write the search string, so hoping there is something wrong with it. I appreciate any help. What am I missing?
source="WinEventLog:Security" ( EventCode=529 Logon_Type=10 ) OR ( EventCode=4625 Logon_Type=10 ) | eval User = if(isnull(Account_Name), User_Name, mvindex(Account_Name,1)) | timechart count by User
... View more