So, I tried this:
index=wineventlog Eventcode=4720 | eval Creator=mvindex(Account_Name,0)
and
index=wineventlog Eventcode=4720 | eval Creator=mvindex(Account_Name,1)
and
index=wineventlog Eventcode=4720 | eval Creator=mvindex(Account_Name,0), CreatED=mvindex(Account_Name,1)
and
index=wineventlog Eventcode=4720 | eval Creator=mvindex(Account_Name,0), CreatOR=mvindex(Account_Name,1)
All of them come up with 0 events, and I set it to "All time" for the period. Hopefully you see why I am frustrated...
... View more