Solved: Newbie struggling with removing "empty" lines for ...

vermicknid · ‎08-15-2013

Hi there! Being new and still struggling mightily to master Splunk, I have an immediate need to create a search/report that looks at when new accounts are created in AD, and what those accounts are named. If I run this over 24 hours, I get a host of timestamped "zero" lines, as no accounts were created during that time. However, at some point, there may be creations of accounts, and it those and those alone that I wish to see.

Thanks, and apologies if this is such a stupid and basic question! I'm trying to find a clue in the docs and in the book, but I'm still struggling.

Michael

lukejadamec · ‎08-15-2013

Try this. You can add more fields from the event types as you see fit. There are also separate event codes for machine accounts.

EventCode=4720 OR EventCode=624 | table _time,SAM_Account_Name | dedup SAM_Account_Name

View solution in original post

lukejadamec · ‎08-15-2013

Try this. You can add more fields from the event types as you see fit. There are also separate event codes for machine accounts.

EventCode=4720 OR EventCode=624 | table _time,SAM_Account_Name | dedup SAM_Account_Name

linu1988 · ‎08-15-2013

Use dedup to get only the unique results OR you could only use a search like this:

Index=blah sourcetype=blah NOT account_name=""|your search..

Thanks

sbrant_splunk · ‎08-15-2013

Can you post your search?

Newbie struggling with removing "empty" lines for a search/report

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases