I've stood up Fleet and elastic which i finally got working properly. My question is with the discover / search. I'm trying to create a dashboard from this:
agent.name:* and winlog.event_id:4624 and winlog.event_data.TargetUserName:* and not winlog.event_data.targetusername:system and not source.ip:127.0.0.1
I'm used to splunk where if I needed to create a table, I could and I could table out some or all of the messages in say, winlog.event_data.Message and it would go into a table row.
I'm trying to do the same thing but once I add that to the table with lens, it fails and I can't see any of the data. How can I set this up so that the messages are returned?
It's not so much an error it's returning blank. I know it's doing a count for the logins and I can share screenshots if you'd like but when i add the winlog.event_data.Message as a table item it goes blank and says "no results found"
I know with splunk if I wanted that data in the table I could do something like:
8.14.1 looks right from your screenshot. Are you using the Discover screen or trying to create a Lens visualization?
It sounds like there isn't a winlog event document that matches that precise query, so it might be worth checking the query, if you need parenthesis (as looking at your query I see 2 conditions for targetusername) and also the date range you have selected in the top right corner.
Since you say you are familiar with Splunk the ES|QL query language may be easier for you than the default of KQL. You can use ES|QL in Discover. I would recommend having a look at the getting started and the command reference.
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.
