The logstash debug for the input logs look like:
{
"message" =>
"37208057\tSecurity\tMicrosoft-Windows-Security-Auditing\tSUCCESS
AUDIT\tserver.myorg.org\t11/18/2014 12:13:32 AM\t4776\tNone\t"The computer
attempted to validate the credentials for an account. Authentication
Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: joe Source
Workstation: joescomputer Error Code: 0x0 "",
"@version" => "1",
"@timestamp" => "2014-11-18T05:13:32.000Z",
"host" => "0:0:0:0:0:0:0:1:51947",
"type" => "logons",
"recno" => "37208057",
"logtype" => "Security",
"status" => "SUCCESS",
"hostname" => "server.myorg.org",
"eventCode" => "4776",
"username" => "joe",
"workstation" => "joescomputer",
"retcd" => "0x0",
"received_at" => "2014-12-15 19:25:49 UTC",
"received_from" => "0:0:0:0:0:0:0:1:51947"
}
I have obscured the host names and accounts, but the fields are the same.
I am hoping for output like:
username workstation name error code Count
root maryscomputer 6a 100
joe lab1 6a 5
joe lab2 6a 2
mary maryscomputer 6a 1
This assumes that the detail records were all dated the same day.
I am expecting that this is going to come back in a JSON format that I will
have to format to look like above.
Is this what you wanted?
On Monday, December 15, 2014 1:03:07 PM UTC-5, Sachin Divekar wrote:
Hi,
Can you share some sample data and desired output?
Sachin Divekar
On Mon, Dec 15, 2014, 10:00 PM Rod Clayton <rod.c...@gmail.com
<javascript:>> wrote:
I have loaded login data into Elasticsearch using Logstash.
I have fields: username retcd workstation.
I want to query and get a count of failed logon requests by username and
workstation on a given day.
The indexes are named like logstash-2014.11.18.
What would a query for this look like on the day listed above?
Thanks,
Rod
--
You received this message because you are subscribed to the Google Groups
"elasticsearch" group.
To unsubscribe from this group and stop receiving emails from it, send an
email to elasticsearc...@googlegroups.com <javascript:>.
To view this discussion on the web visit
https://groups.google.com/d/msgid/elasticsearch/dd8ca3ed-c9e6-478a-ad77-9418e5822296%40googlegroups.com
https://groups.google.com/d/msgid/elasticsearch/dd8ca3ed-c9e6-478a-ad77-9418e5822296%40googlegroups.com?utm_medium=email&utm_source=footer
.
For more options, visit https://groups.google.com/d/optout.
--
You received this message because you are subscribed to the Google Groups "elasticsearch" group.
To unsubscribe from this group and stop receiving emails from it, send an email to elasticsearch+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/elasticsearch/f6d94667-d81d-40de-a927-de088e2bee69%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.