- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Account Locked out without DC$
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Account Locked out without DC$
All domain controllers are sending the event code 644 & 4740 to windowseventlog index.
Using the search below I am able to determine the accounts locked out - As result the search provide the account name locked-out
As account name I have the DomainController$ and users name - I can't use =!DomainControler$ to display only the user name because also the users name related will be omitted -
index=wineventlog source="WinEventLog:Security" sourcetype="WinEventLog:Security" Account_Name="*" EventCode=4740 OR EventCode=644 AND Account_Name!=Guest AND Account_Name!=Administrator AND Account_Name!=Anonymous | timechart span=1h count by Account_Name
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Both are working well - Thanks a lot
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try this.
index=wineventlog source="WinEventLog:Security" sourcetype="WinEventLog:Security" Account_Name="*" EventCode=4740 OR EventCode=644 AND Account_Name!=Guest AND Account_Name!=Administrator AND Account_Name!=Anonymous
| eval Account_Name = mvindex(Account_Name,1)
| eval Security_ID = mvindex(Security_ID,1)
| timechart span=1h count by Account_Name
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Just because im not a fan of timechart, this one will show you where the account was locked. This assumes Caller_Computer_Name is a valid field for you. Security_ID is redundant if you only have one domain.
index=wineventlog source="WinEventLog:Security" sourcetype="WinEventLog:Security" Account_Name="*" EventCode=4740 OR EventCode=644 AND Account_Name!=Guest AND Account_Name!=Administrator AND Account_Name!=Anonymous
| eval Account_Name = mvindex(Account_Name,1)
| eval Security_ID = mvindex(Security_ID,1)
|stats count(Account_Name) as COUNT by Account_Name Security_ID Caller_Computer_Name
-JD
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Can you restate your question. Are you wanting to remove the domain name from the Account_Name field and keep only the user name or do you want to exclude events that have only the domain name? Also, can you share a couple of sample events
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi, I am trying to explain myself better - In the raw data I have for a single event as Account_Name the userid and the DCx$
Account_Name = DC1$ Account_Name J.smith EventCode 4740
Account_Name = DC1$ Account_Name p.brown EventCode 4740
Account_Name = DC2$ Account_Name p.brown EventCode 4740
as search result using stats by Account Name
DC1$ = 2
J.smith = 1
DC2$ = 1
p.brown = 2
What I'm looking for :
j.smith = 1
p.brown = 2
Thank you in advance for the attention given
Extending Observability Content to Splunk Cloud
More Control Over Your Monitoring Costs with Archived Metrics!
New in Observability Cloud - Explicit Bucket Histograms
