Dashboards & Visualizations

Create Dashboard Table - Windows Event Log

New Member

Hi All,

I am brand new to Splunk and I'm looking for a quick helping hand to get me started. I'd like to create a simple table (or any other useful display mechanism) to create a dashboard or report to show changes to my local servers. I am specifically interested in showing events 4720, 4738 and 4726. Initially I would like to start with 4720 (see below). I would like to display the time the event occurred, on which host, the user who created the account, the account name and finally extract the text "Message=A user account was created." to appear in the last column. Once I understand how to do this I should be able to replicate this for my other events. May I please ask for some assistance while I'm still learning.

Thank you.

8:05:24.000 PM

10/30/2012 08:05:24 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4720
EventType=0
Type=Information
ComputerName=LabMGT.Test.Com
TaskCategory=User Account Management
OpCode=Info
RecordNumber=346
Keywords=Audit Success
Message=A user account was created.

Subject:
Security ID: LabMGT\Administrator
Account Name: Administrator
Account Domain: LABMGT
Logon ID: 0x1c912

New Account:
Security ID: LabMGT\Walter Black
Account Name: Walter Black
Account Domain: SORCEDMGT

Attributes:
SAM Account Name: Walter Black
Display Name:
User Principal Name: -
Home Directory:
Home Drive:
Script Path:
Profile Path:
User Workstations:
Password Last Set:
Account Expires:
Primary Group ID: 513
Allowed To Delegate To: -
Old UAC Value: 0x0
New UAC Value: 0x15
User Account Control:

Account Disabled
'Password Not Required' - Enabled
'Normal Account' - Enabled
User Parameters:
SID History: -
Logon Hours: All

Additional Information:
Privileges -
Collapse back to 10 lines
host=LabMGT Options| sourcetype=WinEventLog:Security Options| source=WinEventLog:Security Options

Tags (1)
0 Karma

New Member

Here is a query I use to search for 4720 events and put them into a table, however I'm not sure how to extract the Message field to show last. Maybe this will give you a starting point, sorry I couldn't help further 🙂

source="WinEventLog:Security" (NewDomain="YOURDOMAIN") (EventCode="4720") NewAccount_Name!=$* |table *

0 Karma
Don’t Miss Global Splunk
User Groups Week!

Free LIVE events worldwide 2/8-2/12
Connect, learn, and collect rad prizes
and swag!