https://community.splunk.com/t5/All-Apps-and-Add-ons/How-to-write-a-search-query-to-monitor-account-for-specific/m-p/331790#M39751 <P>I would have a search that runs daily like this:</P> <PRE><CODE>earliest=-25h@h index=YourIndexHere sourcetype=YourSourcetypeHere EventCode=4720 | dedup Account_Name | eval Account_Name = mvindex(Account_Name, 1) | table _time Account_Name | rename _time AS Birthday | appendpipe [|inputlookup NewUsersLastFifteenDays] | dedup Account_Name | where Birthday &gt;= relative_time(now, "-15d@d") | fieldformat Birthday = strftime(Birthday, "%m/%d/%Y %H:%M:%S") | outputlookup NewUsersLastFifteenDays </CODE></PRE> <P>Now you have a lookup that tells you whether the user is under monitoring that you can use at any time in any search like this:</P> <PRE><CODE>index=YourIndexHere sourcetype=YourSourcetypeHere | lookup NewUsersLastFifteenDays | search Birthday="*" </CODE></PRE> <P>Or like this:</P> <PRE><CODE>index=YourIndexHere sourcetype=YourSourcetypeHere [|inputlookup NewUsersLastFifteenDays | fields Account_Name] </CODE></PRE> Wed, 31 May 2017 15:18:26 GMT woodcock 2017-05-31T15:18:26Z https://community.splunk.com/t5/All-Apps-and-Add-ons/How-to-write-a-search-query-to-monitor-account-for-specific/m-p/331789#M39750 <P>Hello All,</P> <P>I need to monitor newly created user account for next 15 days. </P> <P>I need a query where it will look for windows event code 4720, then extract the account name and put it for monitoring for next 15 days. Any activity from that account should logged. After 15 days, that account will be removed from monitoring. Same will repeat for all newly created user accounts.</P> <P>Thank you.</P> Wed, 31 May 2017 14:34:27 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/How-to-write-a-search-query-to-monitor-account-for-specific/m-p/331789#M39750 nnimbe 2017-05-31T14:34:27Z https://community.splunk.com/t5/All-Apps-and-Add-ons/How-to-write-a-search-query-to-monitor-account-for-specific/m-p/331790#M39751 <P>I would have a search that runs daily like this:</P> <PRE><CODE>earliest=-25h@h index=YourIndexHere sourcetype=YourSourcetypeHere EventCode=4720 | dedup Account_Name | eval Account_Name = mvindex(Account_Name, 1) | table _time Account_Name | rename _time AS Birthday | appendpipe [|inputlookup NewUsersLastFifteenDays] | dedup Account_Name | where Birthday &gt;= relative_time(now, "-15d@d") | fieldformat Birthday = strftime(Birthday, "%m/%d/%Y %H:%M:%S") | outputlookup NewUsersLastFifteenDays </CODE></PRE> <P>Now you have a lookup that tells you whether the user is under monitoring that you can use at any time in any search like this:</P> <PRE><CODE>index=YourIndexHere sourcetype=YourSourcetypeHere | lookup NewUsersLastFifteenDays | search Birthday="*" </CODE></PRE> <P>Or like this:</P> <PRE><CODE>index=YourIndexHere sourcetype=YourSourcetypeHere [|inputlookup NewUsersLastFifteenDays | fields Account_Name] </CODE></PRE> Wed, 31 May 2017 15:18:26 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/How-to-write-a-search-query-to-monitor-account-for-specific/m-p/331790#M39751 woodcock 2017-05-31T15:18:26Z https://community.splunk.com/t5/All-Apps-and-Add-ons/How-to-write-a-search-query-to-monitor-account-for-specific/m-p/331791#M39752 <P>hello there, <BR /> not sure i understand in full, what do you mean by "monitoring the account names for 15 days"? if you collect these logs anyways you have that data.<BR /> one approach can be to use a lookup table, something of this sort:</P> <PRE><CODE>earliest= -15d@d latest=now index = Yourindex sourcetype=YourSourcetpye EventCode=4720 | table _time user | outputlookup new_accounts.csv </CODE></PRE> <P>save this search to run daily so the lookup updates and you always have a list of 15 days worth of new users<BR /> now you can search leveraging the lookup command against your new lookup:<BR /> <A href="http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Lookup">http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Lookup</A><BR /> hope it helps</P> Wed, 31 May 2017 15:22:31 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/How-to-write-a-search-query-to-monitor-account-for-specific/m-p/331791#M39752 adonio 2017-05-31T15:22:31Z