- Splunk Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Re: Filter account domain
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yes, but I'm guessing about the specifics you're after.
If you are talking about Windows 2K8 or Vista EventCode 4740, then you would filter on the Account_Domain field.
In this example you would change 'domain1' to one of your domains.
index=main EventCode=4740 Account_Domain=domain1 | eval Account_Name=mvindex(Account_Name,1)| table _time Account_Domain Account_Name Caller_Computer_Name
If you want to have the results sorted by domain, then use something like this:
index=main EventCode=4740 | eval Account_Name=mvindex(Account_Name,1)| table Account_Domain _time Account_Name Caller_Computer_Name
If you are talking about older Windows systems, then you would filter on the Caller_Domain field. For example:
index=main EventCode=644 | table Caller_Domain _time Target_Account_Name Caller_Machine_Name
If you have a mix, then you can combine the two like this:
index=main EventCode=4740 | eval Account_Name=mvindex(Account_Name,1)|eval Source=coalesce
(Caller_Computer_Name,ComputerName)| table Account_Domain _time Account_Name Source| rename Account_Domain AS Domain Account_Name AS Account |append [search index=main EventCode=644 | table Caller_Domain _time Target_Account_Name Caller_Machine_Name | rename Caller_Domain AS Domain Target_Account_Name AS Account Caller_Machine_Name AS Source]
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yes, but I'm guessing about the specifics you're after.
If you are talking about Windows 2K8 or Vista EventCode 4740, then you would filter on the Account_Domain field.
In this example you would change 'domain1' to one of your domains.
index=main EventCode=4740 Account_Domain=domain1 | eval Account_Name=mvindex(Account_Name,1)| table _time Account_Domain Account_Name Caller_Computer_Name
If you want to have the results sorted by domain, then use something like this:
index=main EventCode=4740 | eval Account_Name=mvindex(Account_Name,1)| table Account_Domain _time Account_Name Caller_Computer_Name
If you are talking about older Windows systems, then you would filter on the Caller_Domain field. For example:
index=main EventCode=644 | table Caller_Domain _time Target_Account_Name Caller_Machine_Name
If you have a mix, then you can combine the two like this:
index=main EventCode=4740 | eval Account_Name=mvindex(Account_Name,1)|eval Source=coalesce
(Caller_Computer_Name,ComputerName)| table Account_Domain _time Account_Name Source| rename Account_Domain AS Domain Account_Name AS Account |append [search index=main EventCode=644 | table Caller_Domain _time Target_Account_Name Caller_Machine_Name | rename Caller_Domain AS Domain Target_Account_Name AS Account Caller_Machine_Name AS Source]
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
No problem. Don't forget to accept the answer:)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you for your most appreciated help 😉
Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!
They're back! Join the SplunkTrust and MVP at .conf24
Enterprise Security Content Update (ESCU) | New Releases
