Hi,

I am trying to generate a search command to track file deletions by user.The current command that I have is:

host="myhost" (EventCode=564) | join Handle_ID [search EventCode=560] | stats values(Object_Name) by user

In this command,myhost refers to the windows file server where users have access to sensitive files.I want to capture event 564 as it indicates a file deletion,but will also require to capture its corresponding event 560 as it contains the file name that are deleted.(From my understanding,a file deletion on Windows will generate a event 560,564 and is tied by their same handle ID)

The results should display 2 columns, ie.the user & the files that they've deleted.For eg.

     user           values(Object_Name)
------------------------------------------------------------------
1   userA           C:\02 Department\Main\~$2010_Department.doc
2   userE           C:\Program Files\Dept\2010\Report2010.xls
3   userJ           D:\Shared\Product\8AABCE.tmp
                     D:\Shared\Product\~$TK Product Dec.xls

However,the result does not seem right when I did a check.

For eg. running the search command above generates userJ with 2 files deleted.But when I run another search to check:

host="myhost" EventCode="564" user="userJ"

which should produce the number of file deletions by userJ.However then,it shows 5 file deletion events instead of 2.

Any idea on the search command?

Splunk version: 4.1.5