Hi,
re-read search syntax post serveral times over - still unable to do what I need.
Here's the situation: Gathering logs from windows event log, have lots iwth event id 4625 and in some cases the event_data.TargetUserName is a machine (having at the end of the name, like CPU1, MACHINE2$ etc).
I want to find all records with event_id:4625, but the not the machine accounts.
Here is what I have tried (with no success) - problem seems to be escaping dollar sign.
event_id:4625 NOT event_data.TargetUserName:""
event_id:4625 -event_data.TargetUserName:"*"
event_id:4625 NOT event_data.TargetUserName:/(.)$/ (and several other options)
Anyone facing similar problem?
Thanks, J