I'm trying to combine two filters together for a visualization, but it is not functioning correctly at all.
I wanted to combine: winlog.event_id:4723 and winlog.keywords:"Audit Success". When I do that, I'm getting a count of 53 events.
So I created a column for winlog.event_id:4723 which has a count of 1.
And one more column for winlog.keywords:"Audit Success" which has a count of 6.
So, if it were working correctly, that first filter should show a count of 7.
I haven't really found any recent posts about this, and perhaps I'm searching for the wrong thing. Is there any way I can solve this issue?
See screenshot for what the visualization looks like:
As per my understanding you have to get a result with winlog event id:4728 and whose keywords are success.Remove whatever you have given in aggregation just set the Y axis to count and .Select Add filter which is on the top and put your first condition there
Then after this click on add filter and do the same with winlog.keywords:"Audit Success"
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.
