All Apps and Add-ons

authentication searches return extra events


when diving into the data, it looks like the authentication data model is returning two events for one actual login. It looks like the event to get permission from the domain controller, is recorded and then the actual login to the computer is logged.

Is this normal, incorrect windows setup, or bad datamodel?

Thank you,



So, I know this is an older post, but I am having this problem as well.  I am seeing the 4624 and then also the 4776.  So, the question is should we tweak the windows TA to remove the tags for all but the 4624 events?

0 Karma

Path Finder

Hi @RickbondPNT , if my answer helped, please accept it as the answer. Otherwise please provide more information and I'll be glad to help. Thanks!!

0 Karma

Path Finder

@RickbondPNT just wondering if it worked or what other issues you might be having? Thanks!

0 Karma

Path Finder

have you checked your eventtypes ? the events should be filtered there.

0 Karma

Path Finder

May need some more information, you mentioned "get permissions", so you may be referring to Event ID 4672, which is not always logged with each logon (4624).

The events you are describing should be separate EventCodes aka EventIDs, the values of which should be in the "signature_id" field in the data model.

Assuming you have the Windows TA installed on your indexer and search head, try the search below (change index to match your Windows events) to see order of events in a more readable format.

Notice the relationship between 4672 (Special privileges assigned to new logon) versus 4624 (An account was successfully logged on)
Not all events 4624 events will be preceded by 4672.

index=* (sourcetype=WinEventLog* OR sourcetype=XmlWinEventLog*)
| lookup windows_signatures.csv signature_id as EventCode OUTPUT signature as description
| table _time user EventCode action description

If your Authentication data model is accelerated, you can run this search to view the events with Event ID.

| tstats summariesonly=t count from datamodel=Authentication by _time span=1m Authentication.user Authentication.signature_id Authentication.action sourcetype

Just remove the 'summariesonly=t' if you have not accelerated that data model.

Get Updates on the Splunk Community!

Dashboard Studio Challenge - Learn New Tricks, Showcase Your Skills, and Win Prizes!

Reimagine what you can do with your dashboards. Dashboard Studio is Splunk’s newest dashboard builder to ...

Introducing Edge Processor: Next Gen Data Transformation

We get it - not only can it take a lot of time, money and resources to get data into Splunk, but it also takes ...

Take the 2021 Splunk Career Survey for $50 in Amazon Cash

Help us learn about how Splunk has impacted your career by taking the 2021 Splunk Career Survey. Last year’s ...