All Apps and Add-ons

authentication searches return extra events


when diving into the data, it looks like the authentication data model is returning two events for one actual login. It looks like the event to get permission from the domain controller, is recorded and then the actual login to the computer is logged.

Is this normal, incorrect windows setup, or bad datamodel?

Thank you,



So, I know this is an older post, but I am having this problem as well.  I am seeing the 4624 and then also the 4776.  So, the question is should we tweak the windows TA to remove the tags for all but the 4624 events?

0 Karma

Path Finder

Hi @RickbondPNT , if my answer helped, please accept it as the answer. Otherwise please provide more information and I'll be glad to help. Thanks!!

0 Karma

Path Finder

@RickbondPNT just wondering if it worked or what other issues you might be having? Thanks!

0 Karma

Path Finder

have you checked your eventtypes ? the events should be filtered there.

0 Karma

Path Finder

May need some more information, you mentioned "get permissions", so you may be referring to Event ID 4672, which is not always logged with each logon (4624).

The events you are describing should be separate EventCodes aka EventIDs, the values of which should be in the "signature_id" field in the data model.

Assuming you have the Windows TA installed on your indexer and search head, try the search below (change index to match your Windows events) to see order of events in a more readable format.

Notice the relationship between 4672 (Special privileges assigned to new logon) versus 4624 (An account was successfully logged on)
Not all events 4624 events will be preceded by 4672.

index=* (sourcetype=WinEventLog* OR sourcetype=XmlWinEventLog*)
| lookup windows_signatures.csv signature_id as EventCode OUTPUT signature as description
| table _time user EventCode action description

If your Authentication data model is accelerated, you can run this search to view the events with Event ID.

| tstats summariesonly=t count from datamodel=Authentication by _time span=1m Authentication.user Authentication.signature_id Authentication.action sourcetype

Just remove the 'summariesonly=t' if you have not accelerated that data model.

Get Updates on the Splunk Community!

2024 Splunk Career Impact Survey | Earn a $20 gift card for participating!

Hear ye, hear ye! The time has come again for Splunk's annual Career Impact Survey!  We need your help by ...

Optimize Cloud Monitoring

  TECH TALKS Optimize Cloud Monitoring Tuesday, August 13, 2024  |  11:00AM–12:00PM PST   Register to ...

What's New in Splunk Cloud Platform 9.2.2403?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.2.2403! Analysts can ...