Dashboards & Visualizations

Create Dashboard Table - Windows Event Log

New Member

Hi All,

I am brand new to Splunk and I'm looking for a quick helping hand to get me started. I'd like to create a simple table (or any other useful display mechanism) to create a dashboard or report to show changes to my local servers. I am specifically interested in showing events 4720, 4738 and 4726. Initially I would like to start with 4720 (see below). I would like to display the time the event occurred, on which host, the user who created the account, the account name and finally extract the text "Message=A user account was created." to appear in the last column. Once I understand how to do this I should be able to replicate this for my other events. May I please ask for some assistance while I'm still learning.

Thank you.

8:05:24.000 PM

10/30/2012 08:05:24 PM
SourceName=Microsoft Windows security auditing.
TaskCategory=User Account Management
Keywords=Audit Success
Message=A user account was created.

Security ID: LabMGT\Administrator
Account Name: Administrator
Account Domain: LABMGT
Logon ID: 0x1c912

New Account:
Security ID: LabMGT\Walter Black
Account Name: Walter Black
Account Domain: SORCEDMGT

SAM Account Name: Walter Black
Display Name:
User Principal Name: -
Home Directory:
Home Drive:
Script Path:
Profile Path:
User Workstations:
Password Last Set:
Account Expires:
Primary Group ID: 513
Allowed To Delegate To: -
Old UAC Value: 0x0
New UAC Value: 0x15
User Account Control:

Account Disabled
'Password Not Required' - Enabled
'Normal Account' - Enabled
User Parameters:
SID History: -
Logon Hours: All

Additional Information:
Privileges -
Collapse back to 10 lines
host=LabMGT Options| sourcetype=WinEventLog:Security Options| source=WinEventLog:Security Options

Tags (1)
0 Karma

New Member

Here is a query I use to search for 4720 events and put them into a table, however I'm not sure how to extract the Message field to show last. Maybe this will give you a starting point, sorry I couldn't help further 🙂

source="WinEventLog:Security" (NewDomain="YOURDOMAIN") (EventCode="4720") NewAccount_Name!=$* |table *

0 Karma
Get Updates on the Splunk Community!

Splunk Forwarders and Forced Time Based Load Balancing

Splunk customers use universal forwarders to collect and send data to Splunk. A universal forwarder can send ...

NEW! Log Views in Splunk Observability Dashboards Gives Context From a Single Page

Today, Splunk Observability releases log views, a new feature for users to add their logs data from Splunk Log ...

Last Chance to Submit Your Paper For BSides Splunk - Deadline is August 12th!

Hello everyone! Don't wait to submit - The deadline is August 12th! We have truly missed the community so ...