All Apps and Add-ons
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Alert on Interactive logins

diegosainz
Path Finder
‎10-15-2013 09:34 AM

I am looking to run a daily report of users from a specific OU that are listed as logging in interactively (EventCode=4624 AND Logon_Type=3). Is there a way to run the subsearch to correlate that for a daily report?

Tags (2)
0 Karma
Reply

lukejadamec
Super Champion
‎10-15-2013 09:57 AM

Schedule the following search to run once a day, and send you an email with the results.

index=main sourcetype="*security*" EventCode=4624 Logon_Type=3  |eval Account_Name=mvindex(Account_Name,1)|search NOT Account_Name="*$" NOT Account_Name="ANONYMOUS LOGON"| dedup Account_Name,ComputerName |table _time,Account_Name,ComputerName

eval Account_Name=mvindex(Account_Name,1) Takes the second Account Name field from the event Message field. Check your logs to verify it is the second Account Name you're interested in, change the 1 to a 0 if you want the first. If you want to show both, let me know.

search NOT Account_Name="*$" NOT Account_Name="ANONYMOUS LOGON" removes the system accounts and the NT Authority activity. Remove this if you want to show all accounts.

dedup Account_Name,ComputerName Takes the most recent pair and drops the others. Remove this if you want to show each logon event.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Monitoring AI Agents with Splunk Observability Cloud

Let’s say I’m running a travel planning AI app in production. A user asks for three concise hotel options in ...

[Puzzles] Solve, Learn, Repeat: Tiling

This puzzle (first published here) is based on finding groups of tessellated tiles (inspired by floor tiles I ...

SOK it to Me: Top 3 Benefits of Using Splunk Operator on Kubernetes that’ll Make ...

    Thursday, July 9, 2026  |  11:00AM–12:00PM PDT Duration: 1 hour (includes Q&A) Managing can feel like a ...