https://community.splunk.com/t5/Splunk-Search/Multiple-Locked-Account-Query/m-p/745547#M241482 <P>Thanks this works for me, I already check and tested the result.</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Casial06_0-1746527392487.png" style="width: 400px;"><img src="https://community.splunk.com/t5/image/serverpage/image-id/38866iF52D865189C7A54F/image-size/medium?v=v2&amp;px=400" role="button" title="Casial06_0-1746527392487.png" alt="Casial06_0-1746527392487.png" /></span></P><P><BR />Just an additional question regarding the 2nd stats command on my post, i also want to count all the result and if the totalAccount &gt;= 10 it should trigger the alert.<BR /><BR />Should I continue using 2nd stats command or should I use subsearch or join?<BR /><BR />Here's the 2nd stats command query:<BR />| stats count dc(login_account) as "UniqueAccount" values(login_account) as "Login_Account" values(host) as "HostName" values(Workstation_Name) as Source_Computer values(src_ip) as SourceIP by EventCode<BR />| where UniqueAccount &gt;= 10<BR /><BR /><BR /></P> Tue, 06 May 2025 10:33:27 GMT Casial06 2025-05-06T10:33:27Z https://community.splunk.com/t5/Splunk-Search/Multiple-Locked-Account-Query/m-p/745485#M241460 <P>I'm creating Mutiple Locked account search query while checking the account first if it has 4767 (unlocked) it should ignore account that has 4767 in a span of 4hrs<BR /><BR />This is my current search query and not sure if the "join" command is working.<BR />index=*<BR />| join Account_Name [ search index=* EventCode=4740 OR EventCode=4767<BR />| eval login_account=mvindex(Account_Name,1)<BR />| bin span=4h&nbsp; _time<BR />| stats count values(EventCode) as EventCodeList count(eval(match(EventCode,"4740"))) as Locked ,count(eval(match(EventCode,"4767"))) as Unlocked by Account_Name<BR />| where Locked &gt;= 1 and Unlocked = 0<BR />]<BR />| stats count dc(login_account) as "UniqueAccount" values(login_account) as "Login_Account" values(host) as "HostName" values(Workstation_Name) as Source_Computer values(src_ip) as SourceIP by EventCode| where UniqueAccount &gt;= 10</P> Mon, 05 May 2025 12:55:19 GMT https://community.splunk.com/t5/Splunk-Search/Multiple-Locked-Account-Query/m-p/745485#M241460 Casial06 2025-05-05T12:55:19Z https://community.splunk.com/t5/Splunk-Search/Multiple-Locked-Account-Query/m-p/745489#M241461 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/261206">@Casial06</a>&nbsp;</P><P>Firstly I think you should be able to achieve this with a stats rather than a join, I'll show an example below. The other thing to consider is that using a span of 4 hours might cause incorrect matchings depending on when within the 4 hour span the activity occurs.</P><P>For example, if an account is locked at 11:50 and unlocked at 12:05, the 4 hour span might split into 08:00-12:00 and 12:00-16:00 - meaning that the lock and unlock are captured in different spans.&nbsp;</P><P>Instead you could look at just checking if there has been a lock since the last unlock, or no unlocks. Check the following and see if its useful, I've generated some sample data to work through some scenarios:</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="livehybrid_0-1746454357246.png" style="width: 400px;"><img src="https://community.splunk.com/t5/image/serverpage/image-id/38852iDA0BBC97BE770EF3/image-size/medium?v=v2&amp;px=400" role="button" title="livehybrid_0-1746454357246.png" alt="livehybrid_0-1746454357246.png" /></span></P><P>&nbsp;</P><LI-CODE lang="markup">| makeresults format=csv data="_time,Account_Name,EventCode,host,Workstation_Name,src_ip 2025-04-12T08:00:00Z,Acct1,4740,hostA,workA,10.1.1.1 2025-04-12T09:00:00Z,Acct1,4740,hostB,workB,10.1.1.1 2025-04-12T13:00:00Z,Acct1,4767,hostB,workB,10.1.1.1 2025-04-12T08:10:00Z,Acct2,4740,hostC,workC,10.2.2.2 2025-04-12T09:12:00Z,Acct2,4740,hostC,workD,10.2.2.2 2025-04-12T14:15:00Z,Acct2,4740,hostE,workD,10.2.2.2 2025-04-12T10:00:00Z,Acct3,4740,hostD,workF,10.3.3.3 2025-04-12T15:00:00Z,Acct3,4767,hostD,workG,10.3.3.3 2025-04-12T11:00:00Z,Acct4,4740,hostG,workH,10.4.4.4 2025-04-12T15:00:00Z,Acct4,4767,hostG,workH,10.4.4.4 2025-04-12T13:00:00Z,Acct5,4740,hostH,workI,10.5.5.5 2025-04-12T14:00:00Z,Acct1,4740,hostA,workA,10.1.1.1" | eval _time=strptime(_time,"%Y-%m-%dT%H:%M:%SZ") | eval UnlockTime=IF(EventCode=4767,_time,null()) | eval LockTime=IF(EventCode=4740,_time,null()) | stats earliest(LockTime) as firstLockTime, latest(LockTime) as lastLockTime, latest(UnlockTime) as lastUnlockTime, range(_time) as timeRange, count(eval(EventCode=4740)) as Locked, count(eval(EventCode=4767)) as Unlocked by Account_Name | where lastLockTime&gt;lastUnlockTime OR isnull(lastUnlockTime)</LI-CODE><P><span class="lia-unicode-emoji" title=":glowing_star:">🌟</span><SPAN>&nbsp;</SPAN><STRONG>Did this answer help you?</STRONG><SPAN>&nbsp;</SPAN>If so, please consider:</P><UL><LI>Adding karma to show it was useful</LI><LI>Marking it as the solution if it resolved your issue</LI><LI>Commenting if you need any clarification</LI></UL><P>Your feedback encourages the volunteers in this community to continue contributing</P> Mon, 05 May 2025 14:12:48 GMT https://community.splunk.com/t5/Splunk-Search/Multiple-Locked-Account-Query/m-p/745489#M241461 livehybrid 2025-05-05T14:12:48Z https://community.splunk.com/t5/Splunk-Search/Multiple-Locked-Account-Query/m-p/745547#M241482 <P>Thanks this works for me, I already check and tested the result.</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Casial06_0-1746527392487.png" style="width: 400px;"><img src="https://community.splunk.com/t5/image/serverpage/image-id/38866iF52D865189C7A54F/image-size/medium?v=v2&amp;px=400" role="button" title="Casial06_0-1746527392487.png" alt="Casial06_0-1746527392487.png" /></span></P><P><BR />Just an additional question regarding the 2nd stats command on my post, i also want to count all the result and if the totalAccount &gt;= 10 it should trigger the alert.<BR /><BR />Should I continue using 2nd stats command or should I use subsearch or join?<BR /><BR />Here's the 2nd stats command query:<BR />| stats count dc(login_account) as "UniqueAccount" values(login_account) as "Login_Account" values(host) as "HostName" values(Workstation_Name) as Source_Computer values(src_ip) as SourceIP by EventCode<BR />| where UniqueAccount &gt;= 10<BR /><BR /><BR /></P> Tue, 06 May 2025 10:33:27 GMT https://community.splunk.com/t5/Splunk-Search/Multiple-Locked-Account-Query/m-p/745547#M241482 Casial06 2025-05-06T10:33:27Z https://community.splunk.com/t5/Splunk-Search/Multiple-Locked-Account-Query/m-p/745648#M241509 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/170906">@livehybrid</a>&nbsp;, Thanks for this info and sample query it helps me complete the query I needed.</P> Wed, 07 May 2025 10:03:55 GMT https://community.splunk.com/t5/Splunk-Search/Multiple-Locked-Account-Query/m-p/745648#M241509 Casial06 2025-05-07T10:03:55Z https://community.splunk.com/t5/Splunk-Search/Multiple-Locked-Account-Query/m-p/745679#M241515 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/261206">@Casial06</a>&nbsp;</P><P>I'd probably use a second stats to get the total number, you could use "| eventstats count as totalAccounts" if you want to keep the details of the accounts for your alert.</P><P><span class="lia-unicode-emoji" title=":glowing_star:">🌟</span><SPAN>&nbsp;</SPAN><STRONG>Did this answer help you?</STRONG><SPAN>&nbsp;</SPAN>If so, please consider:</P><UL><LI>Adding karma to show it was useful</LI><LI>Marking it as the solution if it resolved your issue</LI><LI>Commenting if you need any clarification</LI></UL><P>Your feedback encourages the volunteers in this community to continue contributing</P> Wed, 07 May 2025 12:04:00 GMT https://community.splunk.com/t5/Splunk-Search/Multiple-Locked-Account-Query/m-p/745679#M241515 livehybrid 2025-05-07T12:04:00Z