Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Create a table in my search when I enable/disable account but not when I create account.

dfigurello
Communicator
‎10-03-2013 02:08 PM

Hello guys,

I have a question about a query search. I have two queries associated with Windows.

My first query is:
"EventCode=624" "Message="User Account Created"" | table _time New_Account_Name Caller_User_Name

Second query is:
EventIdentifier=642 "User Account Changed" "User Account Control" "Account Enabled" | table Target_Account_Name Caller_User_Name _time

My problem is: When my costumer create a new account in Active Directory, it is creates two events - the First event is "624" - "User Account Created", and the other event is "642" "User Account Enable". So, I just need to visualize only ENABLE accounts (EVENT 642),when it is enable(not create) an account in AD.

The _time field is equal in both events, because these events are created simultaneously.

Thanks,

DF

Reply

somesoni2
Revered Legend
‎10-06-2013 08:15 AM

As far as I understand the requirement, there are two scenario

  1. Where a new account is created, two events (with same timestamp) is written
    EventCode=624 Message="User Account Created"
    and
    EventIdentifier=642 "User Account Changed" "User Account Control" "Account Enabled"

  2. When an account is enabled (just enable, not create), one event is written
    EventIdentifier=642 "User Account Changed" "User Account Control" "Account Enabled"

and what you wish is the create table for events created for scenario 2 (account enable only)
If this is correct, you can use following.

(EventCode=624 Message="User Account Created") OR (EventIdentifier=642 "User Account Changed" "User Account Control" "Account Enabled" ) | rename New_Account_Name as Account_Name | rename Target_Account_Name as Account_Name| stats count by Account_Name, Caller_User_Name,_time | where count=1

Reply

lukejadamec
Super Champion
‎10-03-2013 03:34 PM

This might work. Maybe. The dedup command will choose the most recent event, so I’m not sure what will happen if both events have the same time – order of search discovery perhaps?

EventCode=642 OR EventCode=624 | search Message="*User Account Changed*" OR Message="*User Account Control*" OR Message="*Account Enabled*" OR Message="*User Account Created*" | dedup _time | table Target_Account_Name Caller_User_Name _time
0 Karma
Reply
Get Updates on the Splunk Community!

Observability | Use Synthetic Monitoring for Website Metadata Verification

If you are on Splunk Observability Cloud, you may already have Synthetic Monitoringin your observability ...

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

Tuesday, May 14, 2024  |  11AM PT / 2PM ET Register to Attend Join us for this Tech Talk and learn how to ...

.conf24 | Personalize your .conf experience with Learning Paths!

Personalize your .conf24 Experience Learning paths allow you to level up your skill sets and dive deeper ...