topic Re: How to separate name in stats for local discovered accounts? in Splunk Search

How to separate name in stats for local discovered accounts?

Minasdad — Fri, 22 Jul 2022 00:44:41 GMT

Any advice on this search? Although it simply produces what I need, it also lumps the system name with it.

index=main s LogName=Security EventCode=4738 Account_Name="*"| table Account_Name | dedup Account_Name

Re: How to separate name in stats for local discovered accounts?

yuanliu — Fri, 22 Jul 2022 08:22:33 GMT

What is your expected output? What is the difference between a "system name" and a "local discovered account"? Remember, this is a Splunk board. Most people have no knowledge about your specific data even if LogName=Security may seem obvious to you.

Re: How to separate name in stats for local discovered accounts?

PickleRick — Fri, 22 Jul 2022 09:27:18 GMT

I'm not that much of an expert on Windows but your search most probably simply returns list of changed accounts. Since Windows uses account for machines as well, you're getting them in the results. It's not about Splunk but about how you distinguish user accounts from the machine accounts. If I remember correctly, the machine accounts have a dollar sign at the end (or at the beginning?). Filtering them out should do the trick then.