I am brand new to Splunk and I'm looking for a quick helping hand to get me started. I'd like to create a simple table (or any other useful display mechanism) to create a dashboard or report to show changes to my local servers. I am specifically interested in showing events 4720, 4738 and 4726. Initially I would like to start with 4720 (see below). I would like to display the time the event occurred, on which host, the user who created the account, the account name and finally extract the text "Message=A user account was created." to appear in the last column. Once I understand how to do this I should be able to replicate this for my other events. May I please ask for some assistance while I'm still learning.
10/30/2012 08:05:24 PM
SourceName=Microsoft Windows security auditing.
TaskCategory=User Account Management
Message=A user account was created.
Security ID: LabMGT\Walter Black
Account Name: Walter Black
Account Domain: SORCEDMGT
SAM Account Name: Walter Black
User Principal Name: -
Password Last Set:
Primary Group ID: 513
Allowed To Delegate To: -
Old UAC Value: 0x0
New UAC Value: 0x15
User Account Control:
'Password Not Required' - Enabled
'Normal Account' - Enabled
SID History: -
Logon Hours: All
Collapse back to 10 lines
host=LabMGT Options| sourcetype=WinEventLog:Security Options| source=WinEventLog:Security Options
Here is a query I use to search for 4720 events and put them into a table, however I'm not sure how to extract the Message field to show last. Maybe this will give you a starting point, sorry I couldn't help further 🙂