HTB Academy : Cybersecurity Training detecting kerberoasting in detecting windows attacks with splunk

Modify and employ the Splunk search provided at the “Detecting Kerberoasting - SPN Querying” part of this section on all ingested data (All time). Enter the name of the user who initiated the process that executed an LDAP query containing the “(&(samAccountType=805306368)(servicePrincipalName=)*” string at 2023-07-26 16:42:44 as your answer. Answer format: CORP_ any hints on this, i tried all usernames , none working

index=main earliest=“07/26/2023:00:00:00” latest=“07/28/2023:23:59:59” EventCode=4648 OR (EventCode=4769 AND service_name=iis_svc)
| dedup RecordNumber
| rex field=user “(?[^@]+)”
| search username!=*$
| transaction username keepevicted=true maxspan=5s endswith=(EventCode=4648) startswith=(EventCode=4769)
| where closed_txn=0 AND EventCode = 4769
| table _time, EventCode, service_name, username