I have one CSV file containing important user names. I want to create an alert/correlation rule whenever the user from that specific list get locked out.
Create a lookup table for the csv file you have. The csv file should have a column name same as the field in event log with user id. I assume it is Account_Name.
http://docs.splunk.com/Documentation/Splunk/6.0.3/Knowledge/Addfieldsfromexternaldatasources
Then a query like this should give you the alert
index=windowslogs EventId=4740 [|inputlookup userlist.csv | table Account_Name]
Setup an alert if count>0
http://docs.splunk.com/Documentation/Splunk/6.4.1/Alert/Aboutalerts
Create a lookup table for the csv file you have. The csv file should have a column name same as the field in event log with user id. I assume it is Account_Name.
http://docs.splunk.com/Documentation/Splunk/6.0.3/Knowledge/Addfieldsfromexternaldatasources
Then a query like this should give you the alert
index=windowslogs EventId=4740 [|inputlookup userlist.csv | table Account_Name]
Setup an alert if count>0
http://docs.splunk.com/Documentation/Splunk/6.4.1/Alert/Aboutalerts
To achieve that you should create a lookup. A lookup will compare a field from a file and add some data to your current data indexed in splunk. Your csv should have at least the username field and another field, for exemple vip=yes. With that you will compare logs from AD and lookup them and find if a user is vip or not.
You can find more information on: http://docs.splunk.com/Documentation/Splunk/6.0.3/Knowledge/Addfieldsfromexternaldatasources