https://community.splunk.com/t5/Splunk-Search/How-to-filter-the-subject-account-name-in-the-event-log-below-as/m-p/622405#M216346 <P>I want to filter the Subject Account Name in the Event log below as those other than Admin. So I want to see the cases where this log appears outside of the Admin. How can I do it ?</P> <P>&nbsp;</P> <P>&nbsp;</P> <LI-CODE lang="markup">11/29/2022 12:23:16 PM LogName=Security EventCode=4738 EventType=0 ComputerName=dc.windomain.local SourceName=Microsoft Windows security auditing. Type=Information RecordNumber=247213 Keywords=Audit Success TaskCategory=User Account Management OpCode=Info Message=A user account was changed. Subject: Security ID: S-1-5-21-4236582264-665789389-1555517817-1000 Account Name: Admin Account Domain: WINDOMAIN Logon ID: 0x59B44 Target Account: Security ID: S-1-5-21-4236582264-665789389-1555517817-1324 Account Name: aleda.billye Account Domain: WINDOMAIN</LI-CODE> <P>&nbsp;</P> <P>&nbsp;</P> Tue, 29 Nov 2022 14:16:21 GMT realkazanova1 2022-11-29T14:16:21Z https://community.splunk.com/t5/Splunk-Search/How-to-filter-the-subject-account-name-in-the-event-log-below-as/m-p/622405#M216346 <P>I want to filter the Subject Account Name in the Event log below as those other than Admin. So I want to see the cases where this log appears outside of the Admin. How can I do it ?</P> <P>&nbsp;</P> <P>&nbsp;</P> <LI-CODE lang="markup">11/29/2022 12:23:16 PM LogName=Security EventCode=4738 EventType=0 ComputerName=dc.windomain.local SourceName=Microsoft Windows security auditing. Type=Information RecordNumber=247213 Keywords=Audit Success TaskCategory=User Account Management OpCode=Info Message=A user account was changed. Subject: Security ID: S-1-5-21-4236582264-665789389-1555517817-1000 Account Name: Admin Account Domain: WINDOMAIN Logon ID: 0x59B44 Target Account: Security ID: S-1-5-21-4236582264-665789389-1555517817-1324 Account Name: aleda.billye Account Domain: WINDOMAIN</LI-CODE> <P>&nbsp;</P> <P>&nbsp;</P> Tue, 29 Nov 2022 14:16:21 GMT https://community.splunk.com/t5/Splunk-Search/How-to-filter-the-subject-account-name-in-the-event-log-below-as/m-p/622405#M216346 realkazanova1 2022-11-29T14:16:21Z https://community.splunk.com/t5/Splunk-Search/How-to-filter-the-subject-account-name-in-the-event-log-below-as/m-p/622410#M216349 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/251728">@realkazanova1</a>,</P><P>you have to run a simple search like this:</P><LI-CODE lang="markup">index=wineventlog EventCode=4738 Account_name!="admin"</LI-CODE><P>put attention if you have the Account_name field or another one.</P><P>If you don't have the correct field extractions, you have to install in your Search Head the Splunk_TA_Windows Add-on (<A href="https://splunkbase.splunk.com/app/742" target="_blank">https://splunkbase.splunk.com/app/742</A>)&nbsp;to correctly parse your data.</P><P>Ciao.</P><P>Giuseppe</P> Tue, 29 Nov 2022 13:29:00 GMT https://community.splunk.com/t5/Splunk-Search/How-to-filter-the-subject-account-name-in-the-event-log-below-as/m-p/622410#M216349 gcusello 2022-11-29T13:29:00Z